|
Bugzilla – Full Text Bug Listing |
| Summary: | /usr/{bin,sbin}/dnsmasq profile name alternation breaks libvirt | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Tumbleweed | Reporter: | Christian Boltz <suse-beta> |
| Component: | AppArmor | Assignee: | Christian Boltz <suse-beta> |
| Status: | RESOLVED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | jfehlig, rgoldwyn, zkalmar |
| Version: | Current | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
SR 679593 sent to Factory. This is an autogenerated message for OBS integration: This bug (1127073) was mentioned in https://build.opensuse.org/request/show/679593 Factory / apparmor (In reply to Christian Boltz from comment #1) > SR 679593 sent to Factory. AFAICT, the only change in that SR is -/usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { +/usr/sbin/dnsmasq flags=(attach_disconnected) { which wasn't enough in my testing on TW where the libvirtd profile is now a named one. I also had to make the following changes to finally allow libvirtd to kill off dnsmasq processes signal (receive) peer=/usr/{bin,sbin}/libvirtd, + signal (receive) peer=libvirtd, ptrace (readby) peer=/usr/{bin,sbin}/libvirtd, + ptrace (readby) peer=libvirtd, BTW, do the those instances of {bin,sbin} also need to be changed to just sbin? I think we can completely remove
signal (receive) peer=/usr/{bin,sbin}/libvirtd
and
ptrace (readby) peer=/usr/{bin,sbin}/libvirtd.
Jim, does it work in your test environment if you do so?
(In reply to Goldwyn Rodrigues from comment #4) > I think we can completely remove > signal (receive) peer=/usr/{bin,sbin}/libvirtd > and > ptrace (readby) peer=/usr/{bin,sbin}/libvirtd. > > Jim, does it work in your test environment if you do so? Yes, and AFAIK it would be fine to do that in Factory/TW and SLE15 SP1 where the libvirtd profile has been changed to a named profile. ATM, the SLE15 libvirtd profile is the older "/usr/sbin/libvirtd {" variant, so there we only need Christian's change in SR#679593. I just sent SR 679945 with peer=/usr/sbin/libvirtd rules which is needed for SLE/Leap 15.0, and can't hurt in newer versions ;-) peer=libvirtd is already included in the Tumbleweed package, and IIRC (please check to be sure) I also added it in the last maintenance update for SLE/Leap 15. Regarding cleaning up the path-based peer rules - we could do that one day, but upstream prefers to stay backward-compatible. Exceptions are a) if staying backward-compatible hurts (not the case for peer=...) or b) if there's a very good reason (like too broad permissions) to remove an existing rule. This is an autogenerated message for OBS integration: This bug (1127073) was mentioned in https://build.opensuse.org/request/show/679945 Factory / apparmor Fixed in Tumbleweed. Goldwyn, what's the status on the SLE 15.x side? Hi, The maintenance request has been proceeded. As soon as the QA quialifies this, we can release. https://build.suse.de/project/show/SUSE:Maintenance:10546 SUSE-RU-2019:0577-1: An update that has two recommended fixes can now be installed. Category: recommended (important) Bug References: 1123820,1127073 CVE References: Sources used: SUSE Linux Enterprise Module for Server Applications 15 (src): apparmor-2.12.2-7.12.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): apparmor-2.12.2-7.12.1 SUSE Linux Enterprise Module for Basesystem 15 (src): apparmor-2.12.2-7.12.1, libapparmor-2.12.2-7.12.1 Release request has been created: https://build.suse.de/request/show/186705 (In reply to Christian Boltz from comment #10) > Fixed in Tumbleweed. > > Goldwyn, what's the status on the SLE 15.x side? This has been submitted as per comment#12 For the records: The update for Leap 15.0 is on its way, but not released yet: https://build.opensuse.org/project/show/openSUSE:Maintenance:9802 https://build.opensuse.org/request/show/688704 openSUSE-RU-2019:1063-1: An update that has two recommended fixes can now be installed.
Category: recommended (important)
Bug References: 1123820,1127073
CVE References:
Sources used:
openSUSE Leap 15.0 (src): apparmor-2.12.2-lp150.6.11.2, libapparmor-2.12.2-lp150.6.11.2
*** NOTE: This information is not intended to be used for external
communication, because this may only be a partial fix.
If you have questions please reach out to maintenance coordination.
|
Got this report by mail: The /usr/{bin,sbin}/dnsmasq profile name alternation that was added in the latest AppArmor releases breaks libvirt: type=AVC msg=audit(1551204355.326:125): apparmor="DENIED" operation="signal" profile="libvirtd" pid=3951 comm="libvirtd" requested_mask="send" denied_mask="send" signal=kill peer="/usr/{bin,sbin}/dnsmasq" type=AVC msg=audit(1551204355.326:126): apparmor="DENIED" operation="signal" profile="/usr/{bin,sbin}/dnsmasq" pid=3951 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=kill peer="libvirtd" The libvirtd profile allows peer=/usr/sbin/dnsmasq and everybody thought that this will also allow the "correct half" of the alternation - but sadly in practise it doesn't work. I'll submit updated packages to Tumbleweed and ask Goldwyn to apply the needed patch to the SLE/Leap 15 package.