Ubuntu
libvirt package

Error with seclabel "apparmor" since upgrading from 18.04 to 20.04

Bug #1896937 reported by Wladimir J. van der Laan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

This configuration seems to no longer work after upgrading a machine from Ubuntu 18.04 to Ubuntu 20.04:

    <seclabel type='dynamic' model='apparmor' relabel='yes'/>

When starting a domain with this configuration in the XML definition, the following error appears and the domain fails to start:

    error: unsupported configuration: Security driver model 'apparmor' is not available

Is this to be expected? I wouldn't expect this on first glance because the apparmor profiles are still included:

$ dpkg -S /etc/apparmor.d/usr.sbin.libvirtd
libvirt-daemon-system: /etc/apparmor.d/usr.sbin.libvirtd
$ apt-cache policy libvirt-daemon-system
libvirt-daemon-system:
  Installed: 6.0.0-0ubuntu8.3
  Candidate: 6.0.0-0ubuntu8.3
$ apt-cache policy libvirt-daemon
libvirt-daemon:
  Installed: 6.0.0-0ubuntu8.3
  Candidate: 6.0.0-0ubuntu8.3
$ apt-cache policy apparmor
apparmor:
  Installed: 2.13.3-7ubuntu5.1
  Candidate: 2.13.3-7ubuntu5.1

Files like /etc/apparmor.d/libvirt/TEMPLATE.qemu definitely do exist.

Am I missing something, is this a driver I need to install separately?

Revision history for this message
Wladimir J. van der Laan (laanwj) wrote :

I've just noticed a "Failed to start Load AppArmor profiles." "See 'systemctl status apparmor.service' for details." error at startup. I suspect it may be related. Will investigate.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi,
Please check with aa-status if libvirtd itself is being in enforced mode.
If it isn't it can't provide apparmor seslabel handling to guests.

Should be something like (reduced the length a bit)
$ sudo aa-status | grep -e mode -e libvirt
257 profiles are in enforce mode.
   libvirtd
   libvirtd//qemu_bridge_helper
12 profiles are in complain mode.
181 processes are in enforce mode.
   /usr/sbin/libvirtd (2522) libvirtd
0 processes are in complain mode.

Christian Ehrhardt  (paelzer)
Changed in libvirt (Ubuntu):
status: New → Incomplete
Revision history for this message
Wladimir J. van der Laan (laanwj) wrote :

Thanks!

Right. Libvirt's apparmor wasn't in enforce mode. It didn't even load the profile for it. Arrarmor is enabled but only enforcing for a few things such as dhclient.

The "systemctl status apparmor.service" showed that the profile for libvirt wasn't loaded at all because a "/etc/apparmor.d/local/..libvirt.." file was missing. I was not sure what to do so created an empty file.
That made the apparmor profile load green, at least.

The "error: unsupported configuration: Security driver model 'apparmor' is not available" did not go away, however.

Unfortunately the power supply of the machine broke (I hope this is unrelated) so I'll likely only be able to investigate this further next week.

Revision history for this message
Wladimir J. van der Laan (laanwj) wrote :

The issue has been resolved (after making sure the libvirt profile is loading correctly again), thanks! Can be closed.

Revision history for this message
Robie Basak (racb) wrote :

Thank you for reporting back!

Changed in libvirt (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.