[Pkg-libvirt-maintainers] Bug#875732: libvirt-daemon-system: Create vm from iso in gnome-boxes fails: apparmor profile denies

Clément Hermann nodens at nodens.org
Thu Sep 14 07:13:57 UTC 2017 

Package: libvirt-daemon-system
Version: 3.6.0-1
Severity: normal

Hi,

the virt-aa-helper apparmor profile shipped with libvirt-daemon-system
prevents gnome-boxes to access .local, and so to boot new vm created
from iso or imported.

type=AVC msg=audit(1505371989.794:47034): apparmor="DENIED"
operation="open" profile="virt-aa-helper"
name="/home/nodens/.local/share/gnome-boxes/images/boxes-unknown"
pid=13982 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=1000
ouid=1000


I guess the profile should be updated to allow gnome-box to access it's
own .local directory. However I'm not sure about the best way to do it:
allowing access to .local/share/gnome-boxes when virt-aa-helper isn't
launched by boxes seems wrong.

Cheers,

nodens

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.11.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libvirt-daemon-system depends on:
ii  adduser              3.115
ii  debconf              1.5.63
ii  gettext-base         0.19.8.1-2+b1
ii  init-system-helpers  1.49
ii  iptables             1.6.1-2
ii  libapparmor1         2.11.0-10
ii  libaudit1            1:2.7.7-1+b2
ii  libblkid1            2.29.2-2
ii  libc6                2.24-14
ii  libcap-ng0           0.7.7-3+b1
ii  libdbus-1-3          1.11.16+really1.10.22-1
ii  libdevmapper1.02.1   2:1.02.137-2+b1
ii  libnl-3-200          3.2.27-2
ii  libnl-route-3-200    3.2.27-2
ii  libnuma1             2.0.11-2.1
ii  libselinux1          2.6-3+b2
ii  libvirt-clients      3.6.0-1
ii  libvirt-daemon       3.6.0-1
ii  libvirt0             3.6.0-1
ii  libxml2              2.9.4+dfsg1-3
ii  libyajl2             2.1.0-2+b3
ii  logrotate            3.11.0-0.1
ii  lsb-base             9.20161125
ii  policykit-1          0.105-18

Versions of packages libvirt-daemon-system recommends:
ii  bridge-utils  1.5-14
ii  dmidecode     3.1-1
ii  dnsmasq-base  2.77-2
ii  ebtables      2.0.10.4-3.5+b1
ii  iproute2      4.9.0-1
ii  parted        3.2-17

Versions of packages libvirt-daemon-system suggests:
ii  apparmor    2.11.0-10
ii  auditd      1:2.7.7-1+b2
ii  nfs-common  1:1.3.4-2.1+b1
ii  pm-utils    1.4.1-17
pn  radvd       <none>
ii  systemd     234-2
pn  systemtap   <none>
pn  zfsutils    <none>

-- Configuration Files:
/etc/libvirt/nwfilter/allow-arp.xml [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/allow-arp.xml'
/etc/libvirt/nwfilter/allow-dhcp-server.xml [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/allow-dhcp-server.xml'
/etc/libvirt/nwfilter/allow-dhcp.xml [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/allow-dhcp.xml'
/etc/libvirt/nwfilter/allow-incoming-ipv4.xml [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/allow-incoming-ipv4.xml'
/etc/libvirt/nwfilter/allow-ipv4.xml [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/allow-ipv4.xml'
/etc/libvirt/nwfilter/clean-traffic.xml [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/clean-traffic.xml'
/etc/libvirt/nwfilter/no-arp-ip-spoofing.xml [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/no-arp-ip-spoofing.xml'
/etc/libvirt/nwfilter/no-arp-mac-spoofing.xml [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/no-arp-mac-spoofing.xml'
/etc/libvirt/nwfilter/no-arp-spoofing.xml [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/no-arp-spoofing.xml'
/etc/libvirt/nwfilter/no-ip-multicast.xml [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/no-ip-multicast.xml'
/etc/libvirt/nwfilter/no-ip-spoofing.xml [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/no-ip-spoofing.xml'
/etc/libvirt/nwfilter/no-mac-broadcast.xml [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/no-mac-broadcast.xml'
/etc/libvirt/nwfilter/no-mac-spoofing.xml [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/no-mac-spoofing.xml'
/etc/libvirt/nwfilter/no-other-l2-traffic.xml [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/no-other-l2-traffic.xml'
/etc/libvirt/nwfilter/no-other-rarp-traffic.xml [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/no-other-rarp-traffic.xml'
/etc/libvirt/nwfilter/qemu-announce-self-rarp.xml [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/qemu-announce-self-rarp.xml'
/etc/libvirt/nwfilter/qemu-announce-self.xml [Errno 13] Permission non accordée: '/etc/libvirt/nwfilter/qemu-announce-self.xml'
/etc/libvirt/qemu.conf [Errno 13] Permission non accordée: '/etc/libvirt/qemu.conf'
/etc/libvirt/qemu/networks/default.xml [Errno 13] Permission non accordée: '/etc/libvirt/qemu/networks/default.xml'

-- debconf information:
  libvirt-daemon-system/id_warning: true

More information about the Pkg-libvirt-maintainers mailing list