Ubuntu
libvirt package

missing rules for block-iscsi.so and block-dmg.so

Bug #1554761 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
High
Unassigned

Bug Description

The libvirt-qemu policy has:

  # for rbd
  /etc/ceph/ceph.conf r,
  /usr/lib/x86_64-linux-gnu/qemu/block-rbd.so rm,

  # for curl
  /usr/lib/x86_64-linux-gnu/qemu/block-curl.so rm,

but starting VMs on up to date xenial resulted in:
[114243.449268] audit: type=1400 audit(1457474901.712:270): apparmor="DENIED" operation="file_mmap" profile="libvirt-3d246994-6329-40df-8b96-4fe95c52f12e" name="/usr/lib/x86_64-linux-gnu/qemu/block-iscsi.so" pid=29571 comm="qemu-system-x86" requested_mask="m" denied_mask="m" fsuid=128 ouid=0
[114243.499942] audit: type=1400 audit(1457474901.760:271): apparmor="DENIED" operation="file_mmap" profile="libvirt-3d246994-6329-40df-8b96-4fe95c52f12e" name="/usr/lib/x86_64-linux-gnu/qemu/block-dmg.so" pid=29571 comm="qemu-system-x86" requested_mask="m" denied_mask="m" fsuid=128 ouid=0

I suggest instead of the above doing:
  /usr/lib/@{multiarch}/qemu/*.so rm,

This will work on non-amd64 and will help future proof new helper libs.

Tags: apparmor
Jamie Strandboge (jdstrand)
tags: added: apparmor
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks for the suggestion - am rolling this into the next version.

Changed in libvirt (Ubuntu):
status: New → In Progress
importance: Undecided → High
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 1.3.1-1ubuntu6

---------------
libvirt (1.3.1-1ubuntu6) xenial; urgency=medium

  * d/apparmor/libvirt-qemu: generalize the qemu-block-extra libs line.
    (LP: #1554761)
  * d/p/ubuntu/virt-aa-helper-add-mknod-for-guest-agent.patch: add mknod
    capability if there is a qemu guest agent. (LP: #1393842)

 -- Serge Hallyn <email address hidden> Wed, 09 Mar 2016 18:45:08 -0800

Changed in libvirt (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.