Hi, On Fri, Oct 06, 2017 at 02:58:10PM -0600, Jim Fehlig wrote: > Commit b482925c added ptrace rule for the apparmor profiles, > but one was missed in the libvirtd profile for dnsmasq. It was > overlooked since the test machine did not have an active libvirt > network requiring dnsmasq that was also set to autostart. With > one active and set to autostart, the following denial is observed > in audit.log when restarting libvirtd > > type=AVC msg=audit(1507320136.306:298): apparmor="DENIED" \ > operation="ptrace" profile="/usr/sbin/libvirtd" pid=5472 \ > comm="libvirtd" requested_mask="trace" denied_mask="trace" \ > peer="/usr/sbin/dnsmasq" > > With an active network, I suspect a libvirtd restart causes access > to /proc/<dnsmasq-pid>/*, hence the resulting denial. As a nasty > side affect of the denial, libvirtd thinks it needs to spawn a > dnsmasq process even though one is already running for the network. > E.g. after two libvirtd restarts > > dnsmasq 1683 0.0 0.0 51188 2612 ? S 12:03 0:00 \ > /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ > --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper > root 1684 0.0 0.0 51160 576 ? S 12:03 0:00 \ > /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ > --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper > dnsmasq 4706 0.0 0.0 51188 2572 ? S 13:54 0:00 \ > /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ > --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper > root 4707 0.0 0.0 51160 572 ? S 13:54 0:00 \ > /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ > --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper > dnsmasq 4791 0.0 0.0 51188 2580 ? S 13:56 0:00 \ > /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ > --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper > root 4792 0.0 0.0 51160 572 ? S 13:56 0:00 \ > /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ > --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper > > A simple fix is to add a ptrace rule for dnsmasq. > > Signed-off-by: Jim Fehlig <jfehlig(a)suse.com&gt; > --- > examples/apparmor/usr.sbin.libvirtd | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd > index fa4ebb355..819068ffc 100644 > --- a/examples/apparmor/usr.sbin.libvirtd > +++ b/examples/apparmor/usr.sbin.libvirtd > @@ -39,6 +39,7 @@ > > ptrace (trace) peer=unconfined, > ptrace (trace) peer=/usr/sbin/libvirtd, > + ptrace (trace) peer=/usr/sbin/dnsmasq, > ptrace (trace) peer=libvirt-*, > > # Very lenient profile for libvirtd since we want to first focus on > confining Reviewed-By: Guido Günther <agx(a)sigxcpu.org&gt;