Ubuntu
libvirt package

Creating a new VM in virt-manager fails because of apparmor permissions

Bug #1434999 reported by Petter Adsen
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Confirmed
High
Unassigned

Bug Description

When creating a new VM, it fails because of insufficient permissions. Adding permissions for /dev/shm/lttng-ust-wait-5 and /var/lib/libvirt/qemu/channel/target to /etc/apparmor.d/abstractions/libvirt-qemu seems to solve it, although there are still DENIED messages in the logs:

[ +0,208881] audit: type=1400 audit(1427028845.637:313): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/shm/lttng-ust-wait-5" pid=9562 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ +0,000045] audit: type=1400 audit(1427028845.637:314): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/shm/lttng-ust-wait-5" pid=9562 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I know literally nothing about apparmor, but I hope someone who does can look into this and fix it properly before release of 15.04. Please contact me if any more information is needed, I will be happy to help as much as I can.

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: virt-manager 1:1.0.1-4ubuntu3
ProcVersionSignature: Ubuntu 3.19.0-9.9-generic 3.19.1
Uname: Linux 3.19.0-9-generic x86_64
ApportVersion: 2.16.2-0ubuntu4
Architecture: amd64
CurrentDesktop: XFCE
Date: Sun Mar 22 14:00:40 2015
EcryptfsInUse: Yes
InstallationDate: Installed on 2015-03-08 (13 days ago)
InstallationMedia: Xubuntu 14.10 "Utopic Unicorn" - Release amd64 (20141022.1)
PackageArchitecture: all
SourcePackage: virt-manager
UpgradeStatus: Upgraded to vivid on 2015-03-21 (0 days ago)

Revision history for this message
Petter Adsen (ducasse) wrote :
Marc Deslauriers (mdeslaur)
affects: virt-manager (Ubuntu) → libvirt (Ubuntu)
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libvirt (Ubuntu):
status: New → Confirmed
Revision history for this message
Harald Hetzner (haraldhetzner) wrote :

It seems as if /etc/apparmor.d/abstractions/libvirt-lxc is also missing at least one necessary entry. In current Vivid,

$ virsh -c lxc:/// start test

fails, resulting in the following dmesg:

[ 2207.856469] audit: type=1400 audit(1427382800.914:235): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/shm/lttng-ust-wait-5" pid=6827 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 2207.856521] audit: type=1400 audit(1427382800.914:236): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/shm/lttng-ust-wait-5" pid=6827 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 2208.101311] audit: type=1400 audit(1427382801.158:237): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libvirt-9d578815-a1e9-4596-aef9-a70717574f0e" pid=6828 comm="apparmor_parser"
[ 2208.123112] device vnet2 entered promiscuous mode
[ 2208.490910] virbr0: port 2(vnet2) entered disabled state
[ 2208.492774] device vnet2 left promiscuous mode
[ 2208.492789] virbr0: port 2(vnet2) entered disabled state
[ 2208.648131] audit: type=1400 audit(1427382801.706:238): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/shm/lttng-ust-wait-5" pid=6901 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 2208.648223] audit: type=1400 audit(1427382801.706:239): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/shm/lttng-ust-wait-5" pid=6901 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 2209.018989] audit: type=1400 audit(1427382802.074:240): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="libvirt-9d578815-a1e9-4596-aef9-a70717574f0e" pid=6904 comm="apparmor_parser"

Alberto Salvia Novella (es20490446e)
Changed in libvirt (Ubuntu):
importance: Undecided → High
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.