Unhelpful Security labelling error with read-only floppy image

Bug #647664 reported by Dave Gilbert
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Triaged
Low
Unassigned

Bug Description

I tried to add a floppy drive to a kvm/qemu image and attach it to the /usr/lib/grub-rescue/grub-rescue-floppy.img file.

On boot of the guest I get the following box:

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/engine.py", line 814, in run_domain
    vm.startup()
  File "/usr/share/virt-manager/virtManager/domain.py", line 1296, in startup
    self._backend.create()
  File "/usr/lib/python2.6/dist-packages/libvirt.py", line 333, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: internal error Process exited while reading console log output: libvir: Security Labeling error : internal error error calling aa_change_profile()

Since this mentions absolutely nothing about floppy permissions it's pretty useless to a user; further more since the image is marked read only it should be able to use that floppy.

Attaching config file.

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: libvirt-bin 0.8.3-1ubuntu14
ProcVersionSignature: Ubuntu 2.6.35-22.33-generic 2.6.35.4
Uname: Linux 2.6.35-22-generic x86_64
Architecture: amd64
CheckboxSubmission: f2d10bd9f943a85b486a282e7840a570
CheckboxSystem: 0531969bcfd4f03af7405c98dc94a948
Date: Sat Sep 25 19:03:12 2010
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release amd64 (20091027)
ProcEnviron:
 PATH=(custom, user)
 LANG=en_GB.utf8
 SHELL=/bin/bash
SourcePackage: libvirt

Revision history for this message
Dave Gilbert (ubuntu-treblig) wrote :
Revision history for this message
Mathias Gug (mathiaz) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Is there any message in the kernel log related to apparmor?

Changed in libvirt (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Actually, this is happening because virt-aa-helper is exiting with error. Unfortunately, libvirt does not deal with this in a way that makes it easy to debug (ie 'Security labelling error').

Eg:
$ cat /tmp/fiddle2.xml | /usr/lib/libvirt/virt-aa-helper -u libvirt-fd06659e-3354-cb8e-71d9-cfeeff86e60f -c --dryrun
virt-aa-helper: warning: path does not exist, skipping file type checks
14:07:38.643: warning : virDomainDiskDefForeachPath:7672 : Ignoring open failure on /media/more/isos/ubuntu-10.10-beta-desktop-i386.iso: No such file or directory
virt-aa-helper: warning: path does not exist, skipping file type checks
14:07:38.643: warning : virDomainDiskDefForeachPath:7672 : Ignoring open failure on /dev/main/fiddle2disk: No such file or directory
virt-aa-helper: warning: path does not exist, skipping file type checks
virt-aa-helper: error: /usr/lib/grub-rescue/grub-rescue-floppy.img
virt-aa-helper: error: skipped restricted file
virt-aa-helper: error: invalid VM definition

Copying grub-rescue-floppy.img to /tmp and adjusting the XML works as expected:
$ cat /tmp/foo.xml | /usr/lib/libvirt/virt-aa-helper -u libvirt-fd06659e-3354-cb8e-71d9-cfeeff86e60f -c --dryrun
virt-aa-helper: warning: path does not exist, skipping file type checks
14:16:18.725: warning : virDomainDiskDefForeachPath:7672 : Ignoring open failure on /media/more/isos/ubuntu-10.10-beta-desktop-i386.iso: No such file or directory
virt-aa-helper: warning: path does not exist, skipping file type checks
14:16:18.726: warning : virDomainDiskDefForeachPath:7672 : Ignoring open failure on /dev/main/fiddle2disk: No such file or directory
virt-aa-helper: warning: path does not exist, skipping file type checks
14:16:18.726: warning : virDomainDiskDefForeachPath:7672 : Ignoring open failure on /tmp/grub-rescue-floppy.img: No such file or directory
virt-aa-helper:
/etc/apparmor.d/libvirt/libvirt-fd06659e-3354-cb8e-71d9-cfeeff86e60f.files
virt-aa-helper:
  "/var/log/libvirt/**/fiddle2.log" w,
  "/var/lib/libvirt/**/fiddle2.monitor" rw,
  "/var/run/libvirt/**/fiddle2.pid" rwk,
  "/media/more/isos/ubuntu-10.10-beta-desktop-i386.iso" r,
  # don't audit writes to readonly files
  deny "/media/more/isos/ubuntu-10.10-beta-desktop-i386.iso" w,
  "/dev/main/fiddle2disk" rw,
  "/tmp/grub-rescue-floppy.img" r,
  # don't audit writes to readonly files
  deny "/tmp/grub-rescue-floppy.img" w,

virt-aa-helper:
/etc/apparmor.d/libvirt/libvirt-fd06659e-3354-cb8e-71d9-cfeeff86e60f
virt-aa-helper:
libvirt-fd06659e-3354-cb8e-71d9-cfeeff86e60f
virt-aa-helper:
  #include <libvirt/libvirt-fd06659e-3354-cb8e-71d9-cfeeff86e60f.files>

Changed in libvirt (Ubuntu):
status: Incomplete → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This 'fix' for this is to move "/usr/lib" (and probably "/usr/share/") from restricted[] in src/security/virt-aa-helper.c:valid_path() to restricted_rw[]. I'm not sure this is generally desirable and want to think about it more.

Revision history for this message
Dave Gilbert (ubuntu-treblig) wrote :

I can see that it would make sense to allow /usr/lib and /usr/share to be read.

The wider question is how to give sane errors; the error didn't say anything about it being the floppy image, so it was luck
that this was the only thing I'd changed other wise it would have been difficult to track down.
Tracking down that it was the /usr/lib would have been non-trivial as well for those of us not familiar with the rules it has.

Dave

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.