Bug#1064597: apparmor denies libvirt access to /etc/ssl/openssl.cnf

Discussion:

Add Reply

Paul B. Henson

2024-02-24 20:30:01 UTC

Package: libvirt0
Version: 9.0.0-4

When I start vm's, I see this error message in the system logs:

kernel: [578906.082105] audit: type=1400 audit(1708728091.927:140):
apparmor="DENIED" operation="open"
profile="libvirt-f1f75261-a8b3-4987-b3b4-66577cc691b3"
name="/etc/ssl/openssl.cnf" pid=266042 comm="qemu-system-x86" requested_mask="r"
denied_mask="r" fsuid=64055 ouid=0

It appears the libvirt apparmor template does not provide access? I didn't
see this issue under Debian 11, but it started popping up after updating
to Debian 12, specifically. I'm currently running 12.5.

Andrea Bolognani

2024-12-20 18:00:01 UTC

Permalink

[re-added the bug report]

Post by Paul B. Henson
Package: libvirt0
Version: 9.0.0-4
apparmor="DENIED" operation="open"
profile="libvirt-f1f75261-a8b3-4987-b3b4-66577cc691b3"
name="/etc/ssl/openssl.cnf" pid=266042 comm="qemu-system-x86" requested_mask="r"
denied_mask="r" fsuid=64055 ouid=0
It appears the libvirt apparmor template does not provide access? I didn't
see this issue under Debian 11, but it started popping up after updating
to Debian 12, specifically. I'm currently running 12.5.

https://gitlab.com/libvirt/libvirt/-/issues/712
Upstream is suggesting trying again with AppArmor 4.0.0, which is
unfortunately not really feasible in the context of Debian.
What I would like to confirm, though, is that your VMs are configured
to access disks via HTTP or some other protocol that requires QEMU to
use curl. That would explain why QEMU would need to access OpenSSL
configuration files in the first place, and why I'm not seeing the
denial for my own VMs (which are backed by local storage).

Hmm, no, all of the disks are raw volumes either on lvm or zvols, or ISO
images in the standard /var/lib/libvirt/images directory.
Out of curiosity, are you using UEFI or BIOS? My vm's are UEFI if that makes
a difference. I also have a Windows VM using a software TPM, but I'm pretty
sure I saw the error on my linux VM's too before I added a local
configuration to allow it.

I've managed to reproduce this locally and the culprit appears to be
the use of SPICE graphics. If I switch to VNC, or disable graphics
entirely, it no longer shows up.

--
Andrea Bolognani <***@kiyuko.org>
Resistance is futile, you will be garbage collected.

Paul B. Henson

2024-12-21 02:00:01 UTC

Permalink

Post by Andrea Bolognani
I've managed to reproduce this locally and the culprit appears to be
the use of SPICE graphics. If I switch to VNC, or disable graphics
entirely, it no longer shows up.

Ah, yes, I can confirm I also use SPICE for the video transport.