Ubuntu
libvirt package

  1. Bug #656173
  2. Comment #3

Comment 3 for bug 656173

Revision history for this message
James Page (james-page) wrote : Re: virt-aa-helper generate incomplete apparmor profiles with chained backing files

I've been unable to re-produce this issue on either Lucid or Maverick although they do exhibit different behaviour.

test.qcow2 -> test_base.qcow2 -> base/lenny_vase.qcow2 (sym link to lenny.qcow2)

Lucid apparmor profile:

  "/var/log/libvirt/**/test.log" w,
  "/var/lib/libvirt/**/test.monitor" rw,
  "/var/run/libvirt/**/test.pid" rwk,
  "/home/jamespage/vms/test_base.qcow2" rw,
  "/home/jamespage/vms/base/lenny.qcow2" rw,
  "/home/jamespage/vms/test.qcow2" rw,
  "/home/jamespage/reference/isos/ubuntu-server/maverick-server-i386.iso" r,
  # don't audit writes to readonly files
  deny "/home/jamespage/reference/isos/ubuntu-server/maverick-server-i386.iso" w,

Maverick apparmor profile:

  "/var/log/libvirt/**/test.log" w,
  "/var/lib/libvirt/**/test.monitor" rw,
  "/var/run/libvirt/**/test.pid" rwk,
  "/home/jamespage/vms/test.qcow2" rw,
  "/dev/sr0" r,
  # don't audit writes to readonly files
  deny "/dev/sr0" w,

No apparmor messages in kern.log, and no impact on functionality.