[Bug 654680] Re: libvir: Security Labeling error : error calling aa_change_profile()

Jamie Strandboge jamie at ubuntu.com
Fri Oct 8 19:37:56 BST 2010


Unfortunately, the error reporting in libvirt didn't make this easier, but the problem can be seen clearly with:
$ cat /tmp/kolab-new.xml | /usr/lib/libvirt/virt-aa-helper -c --dryrun -u libvirt-79b2a347-7841-39df-8399-c072b05e7f6f
libvir: Storage error : cannot open file '/libvirt/kolab.img': No such file or directory
virt-aa-helper: warning: could not open path, skipping
virt-aa-helper: warning: path does not exist, skipping file type checks
virt-aa-helper: error: /libvirt/kolab.img
virt-aa-helper: error:   skipped restricted file
virt-aa-helper: error: invalid VM definition

What is happening is that virt-aa-helper does some checks to make sure the image is in an ok place, and if it isn't, fails. Because you chose '/libvirt/kolab.img', this matches as a restricted path, as seen in virt-aa-helper.c:
...
valid_path(const char *path, const bool readonly)
{
...
    const char * const restricted[] = {
        "/bin/",
        "/etc/",
        "/lib",
        "/lost+found/",
...

'/lib' is used instead of '/lib/' since we also want to match /lib32,
/lib64 and anything else that might be a library path. As such, I am
going to mark this as "Won't Fix" for now, but have made a note to
improve the error feedback.

As a workaround, simply set your NFS mountpoint to something other than
'/libvirt'. I suggest something FHS compliant such as /srv/<server
name>/libvirt. Thanks for reporting this error and please feel free to
report any other bugs you might find in Ubuntu.

** Changed in: libvirt (Ubuntu)
       Status: Incomplete => Won't Fix

** Summary changed:

- libvir: Security Labeling error : error calling aa_change_profile()
+ virt-aa-helper fails on disks with absolute paths starting with /lib

-- 
virt-aa-helper fails on disks with absolute paths starting with /lib
https://bugs.launchpad.net/bugs/654680
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.



More information about the Ubuntu-server-bugs mailing list