2022-02-25 13:59:37 |
Martin Pitt |
description |
# lsb_release -rd
Description: Ubuntu 21.10
Release: 21.10
Package: apparmor
Version: 3.0.3-0ubuntu1
Package: virtinst
Version: 1:3.2.0-3
When trying to re-install an existing VM with uefi boot set up using the
recently introduced `--reinstall` option apparmor makes the installation
fail with the following error:
Could not open '/var/lib/libvirt/qemu/nvram/test_VARS.fd': Permission denied
Steps to reproduce:
Create a VM:
root@ubuntu:~# virt-install --connect qemu:///system --quiet --os-variant
fedora28 --memory 1024 --name test --wait -1 --disk size=1,format=qcow2
--print-xml 1 > /tmp/test1.xml
Edit the VM configuration to enable automatic UEFI boot by changing the
<os> like follows:
- <os>
+ <os firmware='efi'>
Define the VM:
root@ubuntu:~# virsh define /tmp/test1.xml
Start VM installation:
root@ubuntu:~# virt-install --connect qemu:///system --reinstall test --wait -1 --noautoconsole --cdrom /var/lib/libvirt/novell.iso --autostart
WARNING No operating system detected, VM performance may suffer. Specify an OS with --os-variant for optimal results.
Starting install...
ERROR internal error: process exited while connecting to monitor: 2022-02-23T18:56:54.738510Z qemu-system-x86_64: -blockdev {"driver":"file","filename":"/var/lib/libvirt/qemu/nvram/test_VARS.fd","node-name":"libvirt-pflash1-storage","auto-read-only":true,"discard":"unmap"}: Could not open '/var/lib/libvirt/qemu/nvram/test_VARS.fd': Permission denied
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
virsh --connect qemu:///system start test
otherwise, please restart your installation.
Expected behavior:
VM installation will start without apparmor error.
Actual behavior:
The above denial happens:
Feb 23 18:56:54 ubuntu audit[4420]: AVC apparmor="DENIED" operation="open" profile="libvirt-bdd92fa6-6030-4980-951c-2a52ec7e406c" name="/var/lib/libvirt/qemu/nvram/test_VARS.fd" pid=4420 comm="qemu-system-x86" requested_mask="r" denied_m>
and stop the installation. |
# lsb_release -rd
Description: Ubuntu 21.10
Release: 21.10
Package: apparmor
Version: 3.0.3-0ubuntu1
Package: virtinst
Version: 1:3.2.0-3
When trying to re-install an existing VM with uefi boot set up using the
recently introduced `--reinstall` option apparmor makes the installation
fail with the following error:
Could not open '/var/lib/libvirt/qemu/nvram/test_VARS.fd': Permission denied
Steps to reproduce:
Create a VM:
root@ubuntu:~# virt-install --connect qemu:///system --quiet --os-variant
fedora28 --memory 1024 --name test --wait -1 --disk size=1,format=qcow2
--print-xml 1 > /tmp/test1.xml
Edit the VM configuration to enable automatic UEFI boot by changing the
<os> like follows:
- <os>
+ <os firmware='efi'>
Define the VM:
root@ubuntu:~# virsh define /tmp/test1.xml
Start VM installation:
root@ubuntu:~# virt-install --connect qemu:///system --reinstall test --wait -1 --noautoconsole --cdrom /var/lib/libvirt/novell.iso --autostart
WARNING No operating system detected, VM performance may suffer. Specify an OS with --os-variant for optimal results.
Starting install...
ERROR internal error: process exited while connecting to monitor: 2022-02-23T18:56:54.738510Z qemu-system-x86_64: -blockdev {"driver":"file","filename":"/var/lib/libvirt/qemu/nvram/test_VARS.fd","node-name":"libvirt-pflash1-storage","auto-read-only":true,"discard":"unmap"}: Could not open '/var/lib/libvirt/qemu/nvram/test_VARS.fd': Permission denied
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
virsh --connect qemu:///system start test
otherwise, please restart your installation.
Expected behavior:
VM installation will start without apparmor error.
Actual behavior:
The above denials happen:
audit: type=1400 audit(1645796875.169:132): apparmor="DENIED" operation="open" profile="libvirt-68567d5b-c2c1-4256-9931-ce675df2f9b0" name="/var/lib/libvirt/qemu/nvram/test_VARS.fd" pid=4909 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=64055
same thing later on for "k" (locking)
audit: type=1400 audit(1645796969.776:151): apparmor="DENIED" operation="file_lock" profile="libvirt-68567d5b-c2c1-4256-9931-ce675df2f9b0" name="/usr/share/OVMF/OVMF_CODE_4M.secboot.fd" pid=5125 comm="qemu-system-x86" requested_mask="k" denied_mask="k" fsuid=64055 ouid=0
and stop the installation. |
|