apparmor policy for libvirt can't cope with symlinked /var/lib/libvirt

Bug #1001895 reported by Brian Candler on 2012-05-20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)

Bug Description

[ubuntu 12.04 desktop amd64, libvirt-bin 0.9.8-2ubuntu1]

For disk management purposes I wanted to move /var/lib/libvirt to /u/libvirt and put a symlink at the original place. However then domains would not start:

$ virsh start pc1
error: Failed to start domain pc1
error: internal error Process exited while reading console log output: bind(unix:/var/lib/libvirt/qemu/pc1.monitor): Permission denied
chardev: opening backend "socket" failed: Permission denied

This is true even if virsh is run as root, so it appears to be an apparmor issue.

Here are the generated policies:

$ virsh dumpxml pc1 | grep uuid

$ cat /etc/apparmor.d/libvirt/libvirt-3781af8c-e236-41ae-bf19-02d78558a850
# This profile is for the domain whose UUID matches this file.

#include <tunables/global>

profile libvirt-3781af8c-e236-41ae-bf19-02d78558a850 {
  #include <abstractions/libvirt-qemu>
  #include <libvirt/libvirt-3781af8c-e236-41ae-bf19-02d78558a850.files>


$ cat /etc/apparmor.d/libvirt/libvirt-3781af8c-e236-41ae-bf19-02d78558a850.files
  "/var/log/libvirt/**/pc1.log" w,
  "/var/lib/libvirt/**/pc1.monitor" rw,
  "/var/run/libvirt/**/" rwk,
  "/run/libvirt/**/" rwk,
  "/var/run/libvirt/**/*.tunnelmigrate.dest.pc1" rw,
  "/run/libvirt/**/*.tunnelmigrate.dest.pc1" rw,
  "/u/libvirt/images/gold/pc1.qcow2" rw,
  "/u/libvirt/images/gold/tmp2HK2hV.qcow2" r,
  # don't audit writes to readonly files
  deny "/u/libvirt/images/gold/tmp2HK2hV.qcow2" w,

They have taken into account that the image files are under /u/libvirt, but not the pc1.monitor file (second entry).

Since these policies are auto-generated I cannot fix them manually.

Workaround: only move /var/lib/libvirt/images to external location, leave the rest of /var/lib/libvirt where it was.

Serge Hallyn (serge-hallyn) wrote :

Indeed, these lines are added explicitly by code in libvirt/security/virt-aa-helper.c.

Converting these to be added through a template may be a nice feature.

Changed in libvirt (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
Serge Hallyn (serge-hallyn) wrote :

After discussion, the right way to do this would be to submit a patch specifying the monitor location in the domain xml file. Have libvirt respect that both when creating and using the monitor, and when creating the security rules (for both apparmor and selinux).

Changed in libvirt (Ubuntu):
importance: Low → Wishlist
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers