Bug 911001 - dnsmasq apparmor profile prevents libvirt default network to start
dnsmasq apparmor profile prevents libvirt default network to start
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: AppArmor
201412*
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Cédric Bosdonnat
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-12-22 10:16 UTC by Cédric Bosdonnat
Modified: 2020-06-05 02:52 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Cédric Bosdonnat 2014-12-22 10:16:31 UTC
This commit in libvirt forces dnsmasq to actually use the leaseshelper program:
http://libvirt.org/git/?p=libvirt.git;a=commit;h=421406808abaf7eb66abd27d71c21ae5b783a380

The problem is that the dnsmasq apparmor profile prevents the libvirt default network to start due to:
  * Not allowing /bin/bash to be run
  * Not allowing leaseshealper contained in /usr/lib64 folder to be run.

Note that this bug may hit 13.2 if an updated libvirt is shipped there.
Comment 1 Cédric Bosdonnat 2014-12-22 10:16:56 UTC
Already got a patch for it
Comment 2 Bernhard Wiedemann 2014-12-22 13:00:32 UTC
This is an autogenerated message for OBS integration:
This bug (911001) was mentioned in
https://build.opensuse.org/request/show/266151 Factory / apparmor
Comment 3 Bernhard Wiedemann 2015-01-19 14:00:07 UTC
This is an autogenerated message for OBS integration:
This bug (911001) was mentioned in
https://build.opensuse.org/request/show/281956 13.2 / apparmor
Comment 4 Jon Nelson 2015-01-21 22:58:49 UTC
Will this also be released as an update to 13.1?
Comment 5 Cédric Bosdonnat 2015-01-22 07:46:07 UTC
(In reply to Jon Nelson from comment #4)
> Will this also be released as an update to 13.1?

@cboltz: did you have any plan to backport it to 13.1 too?
Comment 6 Christian Boltz 2015-01-22 20:21:52 UTC
(In reply to Cedric Bosdonnat from comment #5)
> (In reply to Jon Nelson from comment #4)
> > Will this also be released as an update to 13.1?
> 
> @cboltz: did you have any plan to backport it to 13.1 too?

Not really ;-) - but the more interesting question is if it is needed for 13.1.

Will 13.1 get updated libvirt packages that need the updated profile?
- If yes, then I'll happiliy submit an update.
- If not, I tend to say "wontfix for 13.1".

Anyway, a SR to security:apparmor/apparmor_2_8 (that's my base for 12.3 updates) is always welcome ;-) and makes sure that it will be included in a future update.
Comment 7 Cédric Bosdonnat 2015-01-23 09:02:18 UTC
(In reply to Christian Boltz from comment #6)
> (In reply to Cedric Bosdonnat from comment #5)
> > (In reply to Jon Nelson from comment #4)
> > > Will this also be released as an update to 13.1?
> > 
> > @cboltz: did you have any plan to backport it to 13.1 too?
> 
> Not really ;-) - but the more interesting question is if it is needed for
> 13.1.
> 
> Will 13.1 get updated libvirt packages that need the updated profile?
> - If yes, then I'll happiliy submit an update.
> - If not, I tend to say "wontfix for 13.1".

13.1 won't change libvirt version later on, and doesn't have that problem since it doesn't start dnsmasq in the same way. So better say won't fix for 13.1
Comment 8 Christian Boltz 2015-01-28 17:04:09 UTC
An update for 13.2 is on its way :-)
https://build.opensuse.org/project/show/openSUSE:Maintenance:3469

As discussed before, wontfix for 13.1, but I'll accept patches to security:apparmor/apparmor_2_8
Comment 9 Swamp Workflow Management 2015-02-04 17:09:40 UTC
openSUSE-RU-2015:0216-1: An update that has 6 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 904620,905368,906858,907870,908856,911001
CVE References: 
Sources used:
openSUSE 13.2 (src):    apparmor-2.9.1-4.1
Comment 10 Bernhard Wiedemann 2015-04-24 23:00:12 UTC
This is an autogenerated message for OBS integration:
This bug (911001) was mentioned in
https://build.opensuse.org/request/show/303872 Factory / apparmor
Comment 11 Bernhard Wiedemann 2015-09-16 11:00:31 UTC
This is an autogenerated message for OBS integration:
This bug (911001) was mentioned in
https://build.opensuse.org/request/show/331402 Leap:42.1 / apparmor
Comment 12 Bernhard Wiedemann 2016-04-17 00:00:52 UTC
This is an autogenerated message for OBS integration:
This bug (911001) was mentioned in
https://build.opensuse.org/request/show/390301 13.2 / apparmor
Comment 13 Swamp Workflow Management 2016-04-17 13:08:24 UTC
openSUSE-RU-2016:1063-1: An update that has 18 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 853019,906858,911001,917577,918787,921098,923201,931792,939568,940749,945592,948584,948753,954104,954958,954959,964971,971790
CVE References: 
Sources used:
openSUSE 13.2 (src):    apparmor-2.9.3-7.1