I have successfully (I believe) built (rebuilt on Ubuntu 14.04), installed, and used libvirt 1.2.2. Behaviorally I can't tell the difference between what I've built and what Ubuntu distributes. Specifically, "virsh capabilities" shows this: <secmodel> <model>apparmor</model> <doi>0</doi> </secmodel> <secmodel> <model>dac</model> <doi>0</doi> <baselabel type='kvm'>+112:+113</baselabel> <baselabel type='qemu'>+112:+113</baselabel> </secmodel> Which seems reasonable as well as expected. I build 1.2.8 using the same commands, install the generated packages, recycle, and virsh reports this: <secmodel> <model>none</model> <doi>0</doi> </secmodel> <secmodel> <model>dac</model> <doi>0</doi> <baselabel type='kvm'>+112:+113</baselabel> <baselabel type='qemu'>+112:+113</baselabel> </secmodel> The app armor security model is missing, but It's unclear why that might be. The app armor library is linked in and used (according to ldd), and nothing else on the system changes. I can install / de-install the two versions and repeatedly demonstrate this change. Any suggestions on what I should be looking for? Nothing comes up via a web search. Again: no special options on the configure, and the same technique is used to build both versions. I'm looking for any pointers before I start digging into the code. Thanks in advance!! Gary
Daniel P. Berrange
2014-Sep-26 09:25 UTC
Re: [libvirt-users] Missing security model in 1.2.8?
On Thu, Sep 25, 2014 at 09:03:57PM +0000, Gary Hook wrote:> I have successfully (I believe) built (rebuilt on Ubuntu 14.04), installed, and used libvirt 1.2.2. Behaviorally I can't tell the difference between what I've built and what Ubuntu distributes. > > Specifically, "virsh capabilities" shows this: > > > <secmodel> > > <model>apparmor</model> > > <doi>0</doi> > > </secmodel> > > <secmodel> > > <model>dac</model> > > <doi>0</doi> > > <baselabel type='kvm'>+112:+113</baselabel> > > <baselabel type='qemu'>+112:+113</baselabel> > > </secmodel> > > Which seems reasonable as well as expected. > > I build 1.2.8 using the same commands, install the generated packages, recycle, and virsh reports this: > > > <secmodel> > > <model>none</model> > > <doi>0</doi> > > </secmodel> > > <secmodel> > > <model>dac</model> > > <doi>0</doi> > > <baselabel type='kvm'>+112:+113</baselabel> > > <baselabel type='qemu'>+112:+113</baselabel> > > </secmodel> > > The app armor security model is missing, but It's unclear why that might be. The app armor library is linked in and used (according to ldd), and nothing else on the system changes. I can install / de-install the two versions and repeatedly demonstrate this change. > > Any suggestions on what I should be looking for? Nothing comes up via a web search. > > Again: no special options on the configure, and the same technique is used to build both versions. I'm looking for any pointers before I start digging into the code.Try running libvirtd with LIBVIRT_LOG_FILTERS="1:qemu 1:security" LIBVIRT_LOG_OUTPUTS="1:stderr" /usr/sbin/libvirtd as it starts up you ought to see some messages about it trying to initialize the security drivers. If you're lucky one might tell you why apparmour was missing, if you compare the log messages from both builds. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 9/26/14, 4:25 AM, "Daniel P. Berrange" <berrange@redhat.com> wrote:>On Thu, Sep 25, 2014 at 09:03:57PM +0000, Gary Hook wrote: >> I have successfully (I believe) built (rebuilt on Ubuntu 14.04), >>installed, and used libvirt 1.2.2. Behaviorally I can't tell the >>difference between what I've built and what Ubuntu distributes. >> >> Specifically, "virsh capabilities" shows this: >> >> >> <secmodel> >> >> <model>apparmor</model> >> >> <doi>0</doi> >> >> </secmodel> >> >> <secmodel> >> >> <model>dac</model> >> >> <doi>0</doi> >> >> <baselabel type='kvm'>+112:+113</baselabel> >> >> <baselabel type='qemu'>+112:+113</baselabel> >> >> </secmodel> >> >> Which seems reasonable as well as expected. >> >> I build 1.2.8 using the same commands, install the generated packages, >>recycle, and virsh reports this: >> >> >> <secmodel> >> >> <model>none</model> >> >> <doi>0</doi> >> >> </secmodel> >> >> <secmodel> >> >> <model>dac</model> >> >> <doi>0</doi> >> >> <baselabel type='kvm'>+112:+113</baselabel> >> >> <baselabel type='qemu'>+112:+113</baselabel> >> >> </secmodel> >> >> The app armor security model is missing, but It's unclear why that >>might be. The app armor library is linked in and used (according to >>ldd), and nothing else on the system changes. I can install / de-install >>the two versions and repeatedly demonstrate this change. >> >> Any suggestions on what I should be looking for? Nothing comes up via a >>web search. >> >> Again: no special options on the configure, and the same technique is >>used to build both versions. I'm looking for any pointers before I start >>digging into the code. > >Try running libvirtd with > > LIBVIRT_LOG_FILTERS="1:qemu 1:security" LIBVIRT_LOG_OUTPUTS="1:stderr" >/usr/sbin/libvirtd > >as it starts up you ought to see some messages about it trying to >initialize >the security drivers. If you're lucky one might tell you why apparmour was >missing, if you compare the log messages from both builds.Thanks so much for the pointer. This bit of info wasn¹t showing up in the usual debugging log that I was slogging through: 2014-09-26 16:21:24.218+0000: 28472: info : libvirt version: 1.2.8 2014-09-26 16:21:24.218+0000: 28472: error : virStoragePoolDefParseNode:981 : XML error: unexpected root element <disk>, expecting <pool> 2014-09-26 16:21:24.330+0000: 28472: debug : virSecurityDriverLookup:60 : name=<null> 2014-09-26 16:21:24.330+0000: 28472: error : AppArmorSecurityManagerProbe:372 : internal error: template '/etc/apparmor.d/libvirt/TEMPLATE.qemu' does not exist 2014-09-26 16:21:24.330+0000: 28472: debug : virSecurityDriverLookup:76 : Not enabled name=apparmor 2014-09-26 16:21:24.330+0000: 28472: debug : virSecurityDriverLookup:71 : Probed name=none (Stream of thought...) Missing TEMPLATE.qemu. Where did that come from? Turns out I have to learn to look through the entire source distro, instead of seeing a summary README or exhaustive CHANGES file. What I need is in the examples directory. Good enough. Then, more searching and I find this: https://www.mail-archive.com/libvir-list%40redhat.com/msg102645.html I would have chosen to implement this type of change in 1.3, but that¹s just me. I also would not have changed the default behavior, but rather built upon it. Again, that¹s just me. Your guidance and expertise are appreciated. Thank you.