Ubuntu
libvirt package

Creating a new VM in virt-manager fails because of apparmor permissions

Bug #1434999 reported by Petter Adsen on 2015-03-22

This bug report is a duplicate of: Bug #1432644: VM permanently tries to read /dev/shm/lttng-ust-wait-5. Edit Remove

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	libvirt (Ubuntu)	Confirmed	High	Unassigned

(?)

Bug Description

When creating a new VM, it fails because of insufficient permissions. Adding permissions for /dev/shm/lttng-ust-wait-5 and /var/lib/libvirt/qemu/channel/target to /etc/apparmor.d/abstractions/libvirt-qemu seems to solve it, although there are still DENIED messages in the logs:

[ +0,208881] audit: type=1400 audit(1427028845.637:313): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/shm/lttng-ust-wait-5" pid=9562 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ +0,000045] audit: type=1400 audit(1427028845.637:314): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/shm/lttng-ust-wait-5" pid=9562 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I know literally nothing about apparmor, but I hope someone who does can look into this and fix it properly before release of 15.04. Please contact me if any more information is needed, I will be happy to help as much as I can.

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: virt-manager 1:1.0.1-4ubuntu3
ProcVersionSignature: Ubuntu 3.19.0-9.9-generic 3.19.1
Uname: Linux 3.19.0-9-generic x86_64
ApportVersion: 2.16.2-0ubuntu4
Architecture: amd64
CurrentDesktop: XFCE
Date: Sun Mar 22 14:00:40 2015
EcryptfsInUse: Yes
InstallationDate: Installed on 2015-03-08 (13 days ago)
InstallationMedia: Xubuntu 14.10 "Utopic Unicorn" - Release amd64 (20141022.1)
PackageArchitecture: all
SourcePackage: virt-manager
UpgradeStatus: Upgraded to vivid on 2015-03-21 (0 days ago)

Tags: Edit Tag help

Petter Adsen (ducasse) wrote on 2015-03-22:

Dependencies.txt Edit (12.2 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (316 bytes, text/plain; charset="utf-8")

Marc Deslauriers (mdeslaur) on 2015-03-24

affects:

virt-manager (Ubuntu) → libvirt (Ubuntu)

Launchpad Janitor (janitor) wrote on 2015-03-26:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libvirt (Ubuntu):
status:	New → Confirmed

Harald Hetzner (haraldhetzner) wrote on 2015-03-26:

It seems as if /etc/apparmor.d/abstractions/libvirt-lxc is also missing at least one necessary entry. In current Vivid,

$ virsh -c lxc:/// start test

fails, resulting in the following dmesg:

[ 2207.856469] audit: type=1400 audit(1427382800.914:235): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/shm/lttng-ust-wait-5" pid=6827 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 2207.856521] audit: type=1400 audit(1427382800.914:236): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/shm/lttng-ust-wait-5" pid=6827 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 2208.101311] audit: type=1400 audit(1427382801.158:237): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libvirt-9d578815-a1e9-4596-aef9-a70717574f0e" pid=6828 comm="apparmor_parser"
[ 2208.123112] device vnet2 entered promiscuous mode
[ 2208.490910] virbr0: port 2(vnet2) entered disabled state
[ 2208.492774] device vnet2 left promiscuous mode
[ 2208.492789] virbr0: port 2(vnet2) entered disabled state
[ 2208.648131] audit: type=1400 audit(1427382801.706:238): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/shm/lttng-ust-wait-5" pid=6901 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 2208.648223] audit: type=1400 audit(1427382801.706:239): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/shm/lttng-ust-wait-5" pid=6901 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 2209.018989] audit: type=1400 audit(1427382802.074:240): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="libvirt-9d578815-a1e9-4596-aef9-a70717574f0e" pid=6904 comm="apparmor_parser"