[Bug 1968586] [NEW] apparmor rules block socket and log creation
Liam Young
1968586 at bugs.launchpad.net
Mon Apr 11 14:47:42 UTC 2022
Public bug reported:
While testing using openstack, guests failed to launch and these denied
messages were logged:
[ 8307.089627] audit: type=1400 audit(1649684291.592:109):
apparmor="DENIED" operation="mknod" profile="swtpm"
name="/run/libvirt/qemu/swtpm/11-instance-0000000b-swtpm.sock"
pid=141283 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=117
ouid=117
[10363.999211] audit: type=1400 audit(1649686348.455:115):
apparmor="DENIED" operation="open" profile="swtpm"
name="/var/log/swtpm/libvirt/qemu/instance-0000000e-swtpm.log"
pid=184479 comm="swtpm" requested_mask="ac" denied_mask="ac" fsuid=117
ouid=117
Adding
/run/libvirt/qemu/swtpm/* rwk,
/var/log/swtpm/libvirt/qemu/* rwk,
to /etc/apparmor.d/usr.bin.swtpm and reloading the profile seems to fix the issue.
(Note: This is very similar to existing Bug #1968335)
** Affects: swtpm (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/1968586
Title:
apparmor rules block socket and log creation
Status in swtpm package in Ubuntu:
New
Bug description:
While testing using openstack, guests failed to launch and these
denied messages were logged:
[ 8307.089627] audit: type=1400 audit(1649684291.592:109):
apparmor="DENIED" operation="mknod" profile="swtpm"
name="/run/libvirt/qemu/swtpm/11-instance-0000000b-swtpm.sock"
pid=141283 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=117
ouid=117
[10363.999211] audit: type=1400 audit(1649686348.455:115):
apparmor="DENIED" operation="open" profile="swtpm"
name="/var/log/swtpm/libvirt/qemu/instance-0000000e-swtpm.log"
pid=184479 comm="swtpm" requested_mask="ac" denied_mask="ac" fsuid=117
ouid=117
Adding
/run/libvirt/qemu/swtpm/* rwk,
/var/log/swtpm/libvirt/qemu/* rwk,
to /etc/apparmor.d/usr.bin.swtpm and reloading the profile seems to fix the issue.
(Note: This is very similar to existing Bug #1968335)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/swtpm/+bug/1968586/+subscriptions
More information about the foundations-bugs
mailing list