apparmor policy for libvirt can't cope with symlinked /var/lib/libvirt
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
[ubuntu 12.04 desktop amd64, libvirt-bin 0.9.8-2ubuntu1]
For disk management purposes I wanted to move /var/lib/libvirt to /u/libvirt and put a symlink at the original place. However then domains would not start:
$ virsh start pc1
error: Failed to start domain pc1
error: internal error Process exited while reading console log output: bind(unix:
chardev: opening backend "socket" failed: Permission denied
This is true even if virsh is run as root, so it appears to be an apparmor issue.
Here are the generated policies:
$ virsh dumpxml pc1 | grep uuid
<uuid>
$ cat /etc/apparmor.
#
# This profile is for the domain whose UUID matches this file.
#
#include <tunables/global>
profile libvirt-
#include <abstractions/
#include <libvirt/
}
$ cat /etc/apparmor.
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
"/var/
"/var/
"/var/
"/run/
"/var/
"/run/
"/u/libvirt/
"/u/libvirt/
# don't audit writes to readonly files
deny "/u/libvirt/
They have taken into account that the image files are under /u/libvirt, but not the pc1.monitor file (second entry).
Since these policies are auto-generated I cannot fix them manually.
Workaround: only move /var/lib/
Indeed, these lines are added explicitly by code in libvirt/ security/ virt-aa- helper. c.
Converting these to be added through a template may be a nice feature.