[Bug 1324251] [NEW] AppArmor denies guest from create/modify 9pfs files

Steven Leung stvleung at gmail.com
Wed May 28 20:39:05 UTC 2014 

Public bug reported:

When I tried to create a file or directory in a 9pfs mount in the guest
host, I was denied in AppArmor.  This is the error message:

  May 28 12:26:10 sleungmini kernel: [54257.224886] type=1400
audit(1401305170.938:390): apparmor="DENIED" operation="capable" profile
="libvirt-865a1f4b-f7ab-428f-aa56-f30631565191" pid=28533 comm="pool"
capability=3  capname="fowner"

Upon adding "capability fowner," to /etc/apparmor.d/abstractions
/libvirt-qemu, I was able to create files, however still got this in
/var/log/syslog:

  May 28 12:29:03 sleungmini kernel: [54429.795090] type=1400
audit(1401305343.314:415): apparmor="DENIED" operation="capable" profile
="libvirt-865a1f4b-f7ab-428f-aa56-f30631565191" pid=29097 comm="pool"
capability=4  capname="fsetid"

So I added "capability fsetid," to /etc/apparmor.d/abstractions/libvirt-
qemu as well.

I believe the correct fix is in my included patch.

I've looked through bug #1285995 and see that I have a version that
includes that fix/patch.  I've also verified that I no longer get the
same DENIED message.  I believe this is a different bug.

I'm currently running:

  $ lsb_release -rd
  Description:	Ubuntu 14.04 LTS
  Release:	14.04

This is my version of libvirt-bin:

  apt-cache policy libvirt-bin
  libvirt-bin:
    Installed: 1.2.2-0ubuntu13.1
    Candidate: 1.2.2-0ubuntu13.1
    Version table:
   *** 1.2.2-0ubuntu13.1 0
          500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       1.2.2-0ubuntu13 0
          500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

Let me know if you have any requests for additional information,
questions or suggestions.  This is my first time submitting a bug report
and patch for Ubuntu so I'm not familiar with the conventions here.
Thanks!

** Affects: libvirt (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: patch

** Patch added: "libvirt-qemu-aa-allow-capability-fowner-fsetid.patch"
   https://bugs.launchpad.net/bugs/1324251/+attachment/4121640/+files/libvirt-qemu-aa-allow-capability-fowner-fsetid.patch

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in Ubuntu.
https://bugs.launchpad.net/bugs/1324251

Title:
  AppArmor denies guest from create/modify 9pfs files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1324251/+subscriptions

More information about the Ubuntu-server-bugs mailing list