[Bug 1326865] Re: libvirt cannot kill dhcp in containers

[John Johansen]

Actually change_profile has always been allowed by confined processes.
It just requires a rule in the profile.

My question here is who is running dclient and why? Is dhclient being
started by libvirt as part of its network setup for the container? Or is
it a dhclient being run in the container.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1326865

Title:
  libvirt cannot kill dhcp in containers

Status in “isc-dhcp” package in Ubuntu:
  New

Bug description:
  If I create a ubuntu container and start it as a libvirt-lxc
  container, it runs under the host dhcp profile.  Then when I try virsh
  -c lxc:/// destroy c1, libvirtd tries to kill dhcp in the container
  but fails:

  Jun  5 17:54:14 t1 kernel: [ 2563.620698] type=1400 audit(1401983654.375:28): apparmor="DENIED" operation="signal" profile="/sbin/dhclient" pid=4304 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/libvirtd"
  Jun  5 17:54:14 t1 kernel: [ 2563.660491] type=1400 audit(1401983654.415:29): apparmor="DENIED" operation="signal" profile="/sbin/dhclient" pid=4293 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/libvirtd"
  Jun  5 17:54:14 t1 kernel: [ 2563.660600] type=1400 audit(1401983654.415:30): apparmor="DENIED" operation="signal" profile="/sbin/dhclient" pid=4293 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/libvirtd"

  I don't actually understand the mechanisms here (that a profile should
  be able to refuse receiving signals), and it seems like the proper fix
  is to have libvirt-lxc start containers confined in a container
  policy, but Jamie seemed to have another solution, which would be
  great.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1326865/+subscriptions