[Bug 1554761] [NEW] missing rules for block-iscsi.so and block-dmg.so
Jamie Strandboge
jamie at ubuntu.com
Tue Mar 8 22:14:39 UTC 2016
Public bug reported:
The libvirt-qemu policy has:
# for rbd
/etc/ceph/ceph.conf r,
/usr/lib/x86_64-linux-gnu/qemu/block-rbd.so rm,
# for curl
/usr/lib/x86_64-linux-gnu/qemu/block-curl.so rm,
but starting VMs on up to date xenial resulted in:
[114243.449268] audit: type=1400 audit(1457474901.712:270): apparmor="DENIED" operation="file_mmap" profile="libvirt-3d246994-6329-40df-8b96-4fe95c52f12e" name="/usr/lib/x86_64-linux-gnu/qemu/block-iscsi.so" pid=29571 comm="qemu-system-x86" requested_mask="m" denied_mask="m" fsuid=128 ouid=0
[114243.499942] audit: type=1400 audit(1457474901.760:271): apparmor="DENIED" operation="file_mmap" profile="libvirt-3d246994-6329-40df-8b96-4fe95c52f12e" name="/usr/lib/x86_64-linux-gnu/qemu/block-dmg.so" pid=29571 comm="qemu-system-x86" requested_mask="m" denied_mask="m" fsuid=128 ouid=0
I suggest instead of the above doing:
/usr/lib/@{multiarch}/qemu/*.so rm,
This will work on non-amd64 and will help future proof new helper libs.
** Affects: libvirt (Ubuntu)
Importance: Undecided
Status: New
** Tags: apparmor
** Tags added: apparmor
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in Ubuntu.
https://bugs.launchpad.net/bugs/1554761
Title:
missing rules for block-iscsi.so and block-dmg.so
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1554761/+subscriptions
More information about the Ubuntu-server-bugs
mailing list