Ubuntu
libvirt package

AppArmor profile libvirt is incomplete

Bug #1204616 reported by Wido den Hollander
36
This bug affects 8 people
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

I'm using the Ubuntu Cloud Archive and I'm encountering a incomplete libvirt AppArmor profile.

My libvirtd.log is showing lines like this:

2013-07-24 13:41:35.254+0000: 2995: warning : virAuditSend:135 : Failed to send audit message virt=kvm op=start reason=booted vm="r-1163-VM" uuid=1060bdc3-d77a-35f3-a8ef-696c0aef0b42 vm-pid=5121: Operation not permitted

This is due to "audit_write" missing as a capability in the AppArmor profile for libvirtd.

The simple fix is to add this line:

capability audit_write

In /etc/apparmor.d/usr.sbin.libvirtd

This is with libvirt 1.0.6 from the Havana repository.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: nova-compute (not installed)
ProcVersionSignature: Ubuntu 3.2.0-49.75-generic 3.2.46
Uname: Linux 3.2.0-49-generic x86_64
NonfreeKernelModules: fglrx
ApportVersion: 2.0.1-0ubuntu17.3
Architecture: amd64
Date: Wed Jul 24 20:27:55 2013
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111012)
MarkForUpload: True
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: nova
UpgradeStatus: Upgraded to precise on 2012-04-21 (459 days ago)

Serge Hallyn (serge-hallyn)
Changed in nova (Ubuntu):
importance: Undecided → Low
status: New → Triaged
Serge Hallyn (serge-hallyn)
affects: nova (Ubuntu) → libvirt (Ubuntu)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This actually breaks openstack-- VMs don't launch without it. Noticed this on 13.04 openstack.

Changed in libvirt (Ubuntu):
importance: Low → High
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Oct 23 12:50:55 openstack-raring-amd64 kernel: [ 2914.485060] type=1400 audit(1382550655.256:14): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/libvirtd" pid=1314 comm="libvirtd" pid=1314 comm="libvirtd" capability=29 capname="audit_write"

# cat /proc/version_signature
Ubuntu 3.8.0-31.46-generic 3.8.13.8

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Sorry, I was wrong-- I have the denial, but it was something else that prevented the machine from booting. Sorry for the noise.

Changed in libvirt (Ubuntu):
importance: High → Low
Serge Hallyn (serge-hallyn)
no longer affects: libvirt (Ubuntu Saucy)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 1.1.1-0ubuntu9

---------------
libvirt (1.1.1-0ubuntu9) trusty; urgency=low

  * debian/apparmor/usr.sbin.libvirtd: add audit_write capability
    (LP: #1204616)
 -- Serge Hallyn <email address hidden> Wed, 23 Oct 2013 14:09:04 -0500

Changed in libvirt (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Michael Neuffer (neuffer) wrote :

This problem still exists in current Saucy.

[ 266.523363] type=1400 audit(1389517386.065:33): apparmor="STATUS" operation="profile_load" parent=2735 profile="unconfined" name="libvirt-8f65dd3c-a129-cb60-4c97-d40d9d6b6626" pid=2736 comm="apparmor_parser"
[ 266.525075] type=1400 audit(1389517386.065:34): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/libvirtd" pid=2594 comm="libvirtd" pid=2594 comm="libvirtd" capability=29 capname="audit_write"
[ 266.813400] device vnet0 entered promiscuous mode
[ 266.837595] br0: port 2(vnet0) entered forwarding state
[ 266.837609] br0: port 2(vnet0) entered forwarding state
[ 266.857308] type=1400 audit(1389517386.401:35): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/libvirtd" pid=2594 comm="libvirtd" pid=2594 comm="libvirtd" capability=29 capname="audit_write"
[ 267.089936] cgroup: libvirtd (2594) created nested cgroup for controller "memory" which has incomplete hierarchy support. Nested cgroups may change behavior in the future.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Yes, it was fixed in trusty, but has not been SRUd to saucy. Low priority bugs cannot be SRUd. If there is a reason
why you think this bug's priority should be raised, please do list it here. As far as I can see this mainly results in a
syslog message and logs going to /var/log/libvirt/qemu/$vm.log instead of audit.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.