[Pkg-libvirt-maintainers] Bug#1064597: apparmor denies libvirt access to /etc/ssl/openssl.cnf

Andrea Bolognani eof at kiyuko.org
Fri Dec 20 17:50:49 GMT 2024


[re-added the bug report]

On Tue, Dec 17, 2024 at 12:09:34PM -0800, Paul B. Henson wrote:
> On 12/17/2024 5:59 AM, Andrea Bolognani wrote:
> > On Sat, Feb 24, 2024 at 12:16:35PM -0800, Paul B. Henson wrote:
> > > Package: libvirt0
> > > Version: 9.0.0-4
> > > 
> > > When I start vm's, I see this error message in the system logs:
> > > 
> > > kernel: [578906.082105] audit: type=1400 audit(1708728091.927:140):
> > > apparmor="DENIED" operation="open"
> > > profile="libvirt-f1f75261-a8b3-4987-b3b4-66577cc691b3"
> > > name="/etc/ssl/openssl.cnf" pid=266042 comm="qemu-system-x86" requested_mask="r"
> > > denied_mask="r" fsuid=64055 ouid=0
> > > 
> > > It appears the libvirt apparmor template does not provide access? I didn't
> > > see this issue under Debian 11, but it started popping up after updating
> > > to Debian 12, specifically. I'm currently running 12.5.
> > 
> > Laurent has helpfully already forwarded the report upstream:
> > 
> >   https://gitlab.com/libvirt/libvirt/-/issues/712
> > 
> > Upstream is suggesting trying again with AppArmor 4.0.0, which is
> > unfortunately not really feasible in the context of Debian.
> > 
> > What I would like to confirm, though, is that your VMs are configured
> > to access disks via HTTP or some other protocol that requires QEMU to
> > use curl. That would explain why QEMU would need to access OpenSSL
> > configuration files in the first place, and why I'm not seeing the
> > denial for my own VMs (which are backed by local storage).
> 
> Hmm, no, all of the disks are raw volumes either on lvm or zvols, or ISO
> images in the standard /var/lib/libvirt/images directory.
> 
> Out of curiosity, are you using UEFI or BIOS? My vm's are UEFI if that makes
> a difference. I also have a Windows VM using a software TPM, but I'm pretty
> sure I saw the error on my linux VM's too before I added a local
> configuration to allow it.

I've managed to reproduce this locally and the culprit appears to be
the use of SPICE graphics. If I switch to VNC, or disable graphics
entirely, it no longer shows up.

-- 
Andrea Bolognani <eof at kiyuko.org>
Resistance is futile, you will be garbage collected.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20241220/9e61bff8/attachment.sig>


More information about the Pkg-libvirt-maintainers mailing list