[Bug 517714] Re: [Lucid] Error starting domain: could not remove profile

[Robert Sander]

I also encountered this issue just now. It is caused by an update of the
apparmor profile:

--- /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper      2010-04-14 14:19:00.000000000 +0200
+++ /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper.dpkg-dist    2010-04-15 08:17:39.000000000 +0200
@@ -3,6 +3,7 @@
 
 /usr/lib/libvirt/virt-aa-helper {
   #include <abstractions/base>
+  #include <abstractions/user-tmp>
 
   # needed for searching directories
   capability dac_override,
@@ -14,9 +15,30 @@
   deny @{PROC}/[0-9]*/mounts r,
   @{PROC}/filesystems r,
 
+  # for hostdev
+  /sys/devices/ r,
+  /sys/devices/** r,
+
   /usr/lib/libvirt/virt-aa-helper mr,
   /sbin/apparmor_parser Ux,
 
   /etc/apparmor.d/libvirt/* r,
   /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+
+  # For backingstore, virt-aa-helper needs to peek inside the disk image, so
+  # allow access to non-hidden files in @{HOME} as well as storage pools, and
+  # removable media and filesystems. A virt-aa-helper failure when checking a
+  # disk for backinsgstore is non-fatal (but obviously the backingstore won't
+  # be added).
+  audit deny @{HOME}/.* mrwkl,
+  audit deny @{HOME}/.*/ rw,
+  audit deny @{HOME}/.*/** mrwkl,
+  audit deny @{HOME}/bin/ rw,
+  audit deny @{HOME}/bin/** mrwkl,
+  @{HOME}/ r,
+  @{HOME}/** r,
+  /var/lib/libvirt/images/ r,
+  /var/lib/libvirt/images/** r,
+  /{media,mnt,opt,srv}/** r,
+  deny /dev/** mrwkl,
 }

I reverted to the old one and virt-manager was able to start virtual
machines again.

-- 
[Lucid] Error starting domain: could not remove profile
https://bugs.launchpad.net/bugs/517714
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.