Ubuntu
libvirt package

virt-aa-helper fails on disks with absolute paths starting with /lib

Bug #654680 reported by Alvin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Won't Fix
Undecided
Jamie Strandboge

Bug Description

One of the virtual machines no longer wants to start after the path to the image file of a virtual disk was changed. The virtual disk resides on an NFS share. The NFS share is mounted by fstab because netfs doesn't come up automatically.
(Domain is called 'kolab')

alvin@stilgar:~$ virsh start kolab
error: Failed to start domain kolab
error: internal error unable to start guest: libvir: Security Labeling error : error calling aa_change_profile()

Workaround: disable apparmor, restart libvirt-bin, start the domain (and enable apparmor).
This is necessary at each boot of the guest.

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: libvirt-bin 0.7.5-5ubuntu27.3
ProcVersionSignature: Ubuntu 2.6.32-25.44-server 2.6.32.21+drm33.7
Uname: Linux 2.6.32-25-server x86_64
Architecture: amd64
Date: Mon Oct 4 19:13:53 2010
ProcEnviron:
 PATH=(custom, user)
 LANG=C
 SHELL=/bin/bash
SourcePackage: libvirt

Revision history for this message
Alvin (alvind) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Can you please attach the xml for the affected virtual machine, before and after the change?

Changed in libvirt (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Incomplete
Revision history for this message
Alvin (alvind) wrote :

Attached xml of previous configuration

Revision history for this message
Alvin (alvind) wrote :

Attached xml of new configuration

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Unfortunately, the error reporting in libvirt didn't make this easier, but the problem can be seen clearly with:
$ cat /tmp/kolab-new.xml | /usr/lib/libvirt/virt-aa-helper -c --dryrun -u libvirt-79b2a347-7841-39df-8399-c072b05e7f6f
libvir: Storage error : cannot open file '/libvirt/kolab.img': No such file or directory
virt-aa-helper: warning: could not open path, skipping
virt-aa-helper: warning: path does not exist, skipping file type checks
virt-aa-helper: error: /libvirt/kolab.img
virt-aa-helper: error: skipped restricted file
virt-aa-helper: error: invalid VM definition

What is happening is that virt-aa-helper does some checks to make sure the image is in an ok place, and if it isn't, fails. Because you chose '/libvirt/kolab.img', this matches as a restricted path, as seen in virt-aa-helper.c:
...
valid_path(const char *path, const bool readonly)
{
...
    const char * const restricted[] = {
        "/bin/",
        "/etc/",
        "/lib",
        "/lost+found/",
...

'/lib' is used instead of '/lib/' since we also want to match /lib32, /lib64 and anything else that might be a library path. As such, I am going to mark this as "Won't Fix" for now, but have made a note to improve the error feedback.

As a workaround, simply set your NFS mountpoint to something other than '/libvirt'. I suggest something FHS compliant such as /srv/<server name>/libvirt. Thanks for reporting this error and please feel free to report any other bugs you might find in Ubuntu.

Changed in libvirt (Ubuntu):
status: Incomplete → Won't Fix
summary: - libvir: Security Labeling error : error calling aa_change_profile()
+ virt-aa-helper fails on disks with absolute paths starting with /lib
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.