libvirt 4.6 triggers apparmor issues when starting a guest - unable to change the profile

Bug #1786181 reported by Christian Ehrhardt 
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Starting a guest e.g. via uvtool now fails.

$ uvt-kvm create --password=ubuntu b release=bionic arch=ppc64el label=daily
Warning: using --password from the command line is not secure and should be used for debugging only.
uvt-kvm: error: libvirt: internal error: Process exited prior to exec: ostnet0,vhost=on,vhostfd=28 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:2b:22:f2,bus=pci.0,addr=0x1 -chardev pty,id=charserial0 -device spapr-vty,chardev=charserial0,id=serial0,reg=0x30000000 -device usb-kbd,id=input0,bus=usb.0,port=1 -device usb-mouse,id=input1,bus=usb.0,port=2 -vnc 127.0.0.1:0 -device VGA,id=video0,vgamem_mb=16,bus=pci.0,addr=0x6 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny -msg timestamp=on
libvirt: error : unable to set AppArmor profile 'libvirt-90110376-bc54-4bd5-806b-c4e68f30f461' for '/usr/bin/kvm': No such file or directory

The related Deny is:
[71225.866420] audit: type=1400 audit(1533799502.774:2669): apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="/usr/sbin/libvirtd" name="libvirt-90110376-bc54-4bd5-806b-c4e68f30f461" pid=134355 comm="libvirtd"

So it is libvirtd who wants to do things but gets denied - per profile="/usr/sbin/libvirtd"

The generated profiles exist:
/etc/apparmor.d/libvirt/libvirt-90110376-bc54-4bd5-806b-c4e68f30f461
/etc/apparmor.d/libvirt/libvirt-90110376-bc54-4bd5-806b-c4e68f30f461.files

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Ok, it all makes sense now.
That was just due to a broken WIP implementation for bug 1786019

Since this will only release once ok the bug here can be closed.

Changed in libvirt (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.