similar to: apparmor and kvm/libvirt

Hi guys, I want to enable apparmor security driver for my libvirt env with ubuntu os. What I do is as following: First, I got the source code and compile it. ubuntu@ubuntu:~/github$git clone git://libvirt.org/libvirt.git ubuntu@ubuntu:~/github/libvirt$ dpkg -l|grep apparmor ii apparmor 2.8.95~2430-0ubuntu5 amd64 User-space parser utility for AppArmor ii libapparmor-dev:amd64

Hi everyone, this is my first post at this mailing list. I have a question about upgrading libvirt, but also can fit to Apparmor. For example, I already installed KVM + libvirt from apt-get on Ubuntu 14.04. But the libvirt version is 1.2.9, so I want upgrade to 1.3.4 manually. Search the Internet, only few posts show how to edit so that can launch VM with Apparmor enabled. Most of posts says

Hi I'm quite new to KVM/libvirt0 so hope you can help I'm using Ubuntu Lucid 10.04 and libvirt0 0.8.1 When I try a :- snapshot create vm_name I get an error, ie 'error -5 while writing' Googling doesnt bring anything up. Taking snapshots of a vm when it isnt running works fine. Can I really only create snapshots of a vm when it isnt running ? -- Kind regards Julian

On Tue, 28 Nov 2017 08:37:22 -0600 Dale Schroeder via samba <samba at lists.samba.org> wrote: > > > On 11/28/2017 2:38 AM, Rowland Penny via samba wrote: > > On Mon, 27 Nov 2017 14:53:32 -0600 > > Dale Schroeder via samba <samba at lists.samba.org> wrote: > > > >> Last week, Debian testing (Buster) added apparmor to the list of > >>

Hi All, Through interpreting what the current Wiki article says, plus some trial and error: The following AppArmor rules *appear* to work for a Samba AD DC using the stuff from the distro for Ubuntu 14.04 LTS: $ cat /etc/apparmor.d/local/usr.sbin.named # Site-specific additions and overrides for usr.sbin.named. # For more details, please see /etc/apparmor.d/local/README. /dev/urandom w,

Dale, Been using Ubuntu server for years in my AD. Discovered a long time ago that apparmor is not needed for a server. (Someone is probably going to argue the other that is should be but . . .) Do not quote me but, I have read that AppArmor is intended more for a desktop environment. I have always disabled and then removed AppArmor and have never had any issues. Of course I am behind a hardware

On Tue, 28 Nov 2017 11:24:58 -0600 Dale Schroeder <dale at BriannasSaladDressing.com> wrote: > On 11/28/2017 11:11 AM, Robert Wooden wrote: > > Dale, > > > > Been using Ubuntu server for years in my AD. Discovered a long time > > ago that apparmor is not needed for a server. (Someone is probably > > going to argue the other that is should be but . . .)

In order to test a patch I submitted I've been experimenting with "qemu:commandline" to use some newer features for a QEMU host/guest file share. I quickly ran into issues with AppArmor as virt-aa-helper understandably doesn't parse "qemu:commandline" for directories to add to the dynamically generated AppArmor profile. After reading a bunch of documentation, I cannot

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In openSUSE 10.3, AppArmor modifies remove_suid to take a struct path rather than just a dentry. This patch tests that the kernel is openSUSE 10.3 or newer and adjusts the call accordingly. Debian/Ubuntu with AppArmor applied will also need a similar patch. Maintainers of btrfs under those distributions should build on this patch or,

On 11/28/2017 2:38 AM, Rowland Penny via samba wrote: > On Mon, 27 Nov 2017 14:53:32 -0600 > Dale Schroeder via samba <samba at lists.samba.org> wrote: > >> Last week, Debian testing (Buster) added apparmor to the list of >> dependencies for its latest kernel release, apparently because >> systemd needs it.  Recently, I noticed my first casualty - bind9 - >>

Samba4 latest git, Ubuntu 11.10, bind9.9.0 Hi I have dynamic updates working but I've had to tweak apparmor: sudo aa-complain /etc/aparmor.d/usr.sbin.named This floods the logs with allow messages. I can remove this by: /etc/init.d/apparmor teardown Not ideal. Can I have bind9, s4 and apparmor at the same time? Thanks, Steve

Last week, Debian testing (Buster) added apparmor to the list of dependencies for its latest kernel release, apparently because systemd needs it.  Recently, I noticed my first casualty - bind9 - due to apparmor failures with bind_dlz. Here is the initial journalctl results: Nov 23 10:12:12 debpdc named[16080]: starting BIND 9.10.6-Debian <id:9d1ea0b> -f -u bind Nov 23 10:12:12 debpdc

From Ubuntu 14.04, I have installed Samba 4.1.6 and bind 9.9.5 and have them working together as per https://wiki.samba.org/index.php/DNS_Backend_BIND To make it work I had to add the following overrides to /etc/apparmor.d/local/usr.sbin.named: # Samba4 DLZ and Active Directory Zones /usr/lib/x86_64-linux-gnu/samba/** rm, /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm,

Hai,  Normaly i kick in sooner but im in bed fit by flu. :-(  You have to add the bind paths to the apparmor profile, or disable apparmor in total, just dont remove it, should work also. debian wiki or ubuntu wiki shows how.  But why are you using buster, imo really not safe,  if you wany a 4.7 for stretch use my apt. When im better i can have a look into your problem more closely. greetz

On 11/28/2017 9:02 AM, Rowland Penny wrote: > On Tue, 28 Nov 2017 08:37:22 -0600 > Dale Schroeder via samba <samba at lists.samba.org> wrote: > >> >> On 11/28/2017 2:38 AM, Rowland Penny via samba wrote: >>> On Mon, 27 Nov 2017 14:53:32 -0600 >>> Dale Schroeder via samba <samba at lists.samba.org> wrote: >>> >>>> Last week,

Hello all, I am using dovecot on Debian stretch, with AppArmor, and I have this audit log: Mar 16 11:25:10 mail kernel: audit: type=1400 audit(1521199510.705:580): apparmor="DENIED" operation="file_mmap" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/auth" name="var/cache/nscd/hosts" pid=26797

On 08/26/2013 03:42 PM, 止语 wrote: > I am playing with libvirt 1.1.1 (lxc) > when I was starting a LXC container, the process location of cgroup is pretty , just the root directory > from the process. But I could tune the cgroup in a container as an user that logged, This is not accepted... > > I wonder how to restrict it with apparmor ,so one can not modify files in the cgroup

Hello all, Is there any guide to help in the configuration of Dovecot for AppArmor on Debian / Ubuntu ? Or maybe does any of you already have something that works? I am actually adding AppArmor on an email server project, and I had some trouble with the versions from Debian. I would like to avoid - if possible - the long try and error process for each Dovecot executable. I am using IMAP, LMTP,

Hi there, I know this isn't a Dovecot issue, but hope that somebody can helps me. I've successfully installed and configured Dovecot to a Debian 9 server. Looks like everything works as well, I just see a line in the log when I send a mail: Mar 28 22:21:47 mailng kernel: [3150146.825007] audit: type=1400 audit(1553808107.757:286204): apparmor="DENIED"

On 11/28/2017 11:11 AM, Robert Wooden wrote: > Dale, > > Been using Ubuntu server for years in my AD. Discovered a long time > ago that apparmor is not needed for a server. (Someone is probably > going to argue the other that is should be but . . .) > > Do not quote me but, I have read that AppArmor is intended more for a > desktop environment. I have always disabled and