dnsmasq profile doesn't work with libvirt
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
Medium
|
Jamie Strandboge |
Bug Description
Binary package hint: apparmor
Using the usr.sbin.dnsmasq profile from apparmor-profiles with libvirt 0.8.5-0ubuntu4 in natty results in:
type=AVC msg=audit(
The following should be added to the dnsmasq profile:
/var/
/var/
Also need to add capability net_admin. NET_ADMIN is required for using as a DHCP server. capability net_raw and 'network inet raw' are also needed for ICMP ping checks when used as a DHCP server. See the FAQ in the dnsmasq source for details.
Changed in apparmor (Ubuntu): | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Jamie Strandboge (jdstrand) |
milestone: | none → natty-alpha-2 |
status: | In Progress → Fix Committed |
Changed in apparmor (Ubuntu): | |
milestone: | natty-alpha-2 → natty-alpha-3 |
description: | updated |
description: | updated |
On Tue, Jan 04, 2011 at 07:03:41PM -0000, Jamie Strandboge wrote:
> + Also need to add capability net_admin. NET_ADMIN is required for using
> + as a DHCP server. May need to add net_raw later for ICMP ping checks.
> + See the FAQ in the dnsmasq source for details.
I haven't seemed to need net_raw when using dnsmasq as a dhcp server;
however, when enabling the tftpd server functionality, I did need to add
the net_bind_service capability.
Also for supporting the latter, a tunable/dnsmasq containing a definition
for @{TFTPROOT} and adding:
@{TFTPROOT}/ r,
@{TFTPROOT}/** r,
may be useful.
If the default configuration file is to be believed, the default
tftp-root is /var/ftpd (I use a non-standard location locally).
-- NxNW.org/ ~steve/
Steve Beattie
<email address hidden>
http://