[Bug 632696] Re: libvirt won't start a VM with serial or console when apparmor is enabled

[Serge Hallyn]

I chowned and chmoded /srv/libvirt-storage-pool-1 to be

serge at sergelap:~/ $ ls -ld /srv/libvirt-storage-pool-1/
drwxr-x--- 2 root kvm 4096 2010-09-03 09:45 /srv/libvirt-storage-pool-1/

and made sure to be in the kvm group, but this still did not suffice.  The errors
in the log are as usual:

[ 2844.242158] type=1400 audit(1284123328.335:34): apparmor="DENIED" operation="open" parent=1006 profile="libvirt-4b49b0f2-18e7-ef59-f9c6-d37703a6ca21" name="/proc/1011/fd/" pid=1011 comm="kvm" requested_mask="r" denied_mask="r" fsuid=117 ouid=117
[ 2844.242322] type=1400 audit(1284123328.335:35): apparmor="DENIED" operation="exec" parent=1006 profile="libvirt-4b49b0f2-18e7-ef59-f9c6-d37703a6ca21" name="/usr/lib/pt_chown" pid=1011 comm="kvm" requested_mask="x" denied_mask="x" fsuid=117 ouid=0

I did an apt-get dist-upgrade yesterday, don't know if that's what re-
caused the error.

I re-added the 3 lines to /etc/apparmor.d/abstractions/libvirt-qemu
and did 'sudo /etc/init.d/apparmor restart; sudo restart libvirt-bin', after which it still
failed but with the error:

[ 3056.875668] type=1400 audit(1284123541.145:53): apparmor="DENIED"
operation="capable" parent=6063 profile="libvirt-
4b49b0f2-18e7-ef59-f9c6-d37703a6ca21" pid=6065 comm="pt_chown"
capability=3  capname="fowner"

It's not clear to me if there is an easy (and safe) way to hand
cap_fowner to pt_chown there?

** Changed in: libvirt (Ubuntu Maverick)
       Status: Incomplete => New

-- 
libvirt won't start a VM with serial or console when apparmor is enabled
https://bugs.launchpad.net/bugs/632696
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.