[Bug 545426] Re: SDL support broken when using apparmor

Ancoron Luziferis ancoron.luciferis at gmail.com
Mon Apr 12 19:05:13 BST 2010 

Just tested it with kernel 2.6.32-20-generic (amd64) and libvirt0
0.7.5-5ubuntu21.

$ sudo virsh -c qemu:///system define /srv/virtual/aria.xml
Domain aria defined from /srv/virtual/aria.xml

$ sudo virsh -c qemu:///system start aria
error: Failed to start domain aria
error: internal error unable to start guest: libvir: Security Labeling error : error calling aa_change_profile()

[ 1445.385111] type=1503 audit(1271092691.039:30):  operation="open" pid=4883 parent=1224 profile="/usr/lib/libvirt/virt-aa-helper" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/srv/virtual/aria-win2k3.img"
[ 1445.385453] type=1503 audit(1271092691.039:31):  operation="open" pid=4883 parent=1224 profile="/usr/lib/libvirt/virt-aa-helper" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/srv/virtual/win2003-x64.iso"
[ 1445.407237] device vnet0 entered promiscuous mode
[ 1445.408771] virbr0: topology change detected, propagating
[ 1445.408780] virbr0: port 1(vnet0) entering forwarding state
[ 1445.453859] virbr0: port 1(vnet0) entering disabled state
[ 1445.482558] device vnet0 left promiscuous mode
[ 1445.482568] virbr0: port 1(vnet0) entering disabled state
[ 1445.608828] type=1505 audit(1271092691.259:32):  operation="profile_remove" info="profile does not exist" error=-2 pid=4898 name="libvirt-a4294a0d-a75a-a377-ddcd-7e35d5720815" namespace="root"


The mentioned profile doesn't get loaded (libvirt-a4294a0d-a75a-a377-ddcd-7e35d5720815) although it exists:

$ ls -1 /etc/apparmor.d/libvirt/libvirt-a4294a0d-a75a-a377-ddcd-7e35d5720815*
/etc/apparmor.d/libvirt/libvirt-a4294a0d-a75a-a377-ddcd-7e35d5720815
/etc/apparmor.d/libvirt/libvirt-a4294a0d-a75a-a377-ddcd-7e35d5720815.files

...and has appropriate lines in it:

$ grep '/srv/virtual/' /etc/apparmor.d/libvirt/libvirt-a4294a0d-a75a-a377-ddcd-7e35d5720815.files
  "/srv/virtual/aria-win2k3.img" rw,
  "/srv/virtual/win2003-x64.iso" r,
  deny "/srv/virtual/win2003-x64.iso" w,


So I just added appropriate lines into "/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper" for my custom storage pool (should I open a bug for that?):

$ grep '/srv/virtual' /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper 
  /srv/virtual/ r,
  /srv/virtual/** r,

...reloaded the apparmor service and now it works. Now I'm waiting for a
resolution to Bug #513273 to finally get an SDL VM running out of the
virt-manager.

Thanx a lot so far! Fix confirmed! :-)

-- 
SDL support broken when using apparmor
https://bugs.launchpad.net/bugs/545426
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.

More information about the Ubuntu-server-bugs mailing list