[Bug 654680] Re: libvir: Security Labeling error : error calling aa_change_profile()
Jamie Strandboge
jamie at ubuntu.com
Fri Oct 8 19:37:56 BST 2010
Unfortunately, the error reporting in libvirt didn't make this easier, but the problem can be seen clearly with:
$ cat /tmp/kolab-new.xml | /usr/lib/libvirt/virt-aa-helper -c --dryrun -u libvirt-79b2a347-7841-39df-8399-c072b05e7f6f
libvir: Storage error : cannot open file '/libvirt/kolab.img': No such file or directory
virt-aa-helper: warning: could not open path, skipping
virt-aa-helper: warning: path does not exist, skipping file type checks
virt-aa-helper: error: /libvirt/kolab.img
virt-aa-helper: error: skipped restricted file
virt-aa-helper: error: invalid VM definition
What is happening is that virt-aa-helper does some checks to make sure the image is in an ok place, and if it isn't, fails. Because you chose '/libvirt/kolab.img', this matches as a restricted path, as seen in virt-aa-helper.c:
...
valid_path(const char *path, const bool readonly)
{
...
const char * const restricted[] = {
"/bin/",
"/etc/",
"/lib",
"/lost+found/",
...
'/lib' is used instead of '/lib/' since we also want to match /lib32,
/lib64 and anything else that might be a library path. As such, I am
going to mark this as "Won't Fix" for now, but have made a note to
improve the error feedback.
As a workaround, simply set your NFS mountpoint to something other than
'/libvirt'. I suggest something FHS compliant such as /srv/<server
name>/libvirt. Thanks for reporting this error and please feel free to
report any other bugs you might find in Ubuntu.
** Changed in: libvirt (Ubuntu)
Status: Incomplete => Won't Fix
** Summary changed:
- libvir: Security Labeling error : error calling aa_change_profile()
+ virt-aa-helper fails on disks with absolute paths starting with /lib
--
virt-aa-helper fails on disks with absolute paths starting with /lib
https://bugs.launchpad.net/bugs/654680
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
More information about the Ubuntu-server-bugs
mailing list