Ubuntu
libvirt package

Bug #647664
Comment #3

Comment 3 for bug 647664

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2010-09-28:

Actually, this is happening because virt-aa-helper is exiting with error. Unfortunately, libvirt does not deal with this in a way that makes it easy to debug (ie 'Security labelling error').

Eg:
$ cat /tmp/fiddle2.xml | /usr/lib/libvirt/virt-aa-helper -u libvirt-fd06659e-3354-cb8e-71d9-cfeeff86e60f -c --dryrun
virt-aa-helper: warning: path does not exist, skipping file type checks
14:07:38.643: warning : virDomainDiskDefForeachPath:7672 : Ignoring open failure on /media/more/isos/ubuntu-10.10-beta-desktop-i386.iso: No such file or directory
virt-aa-helper: warning: path does not exist, skipping file type checks
14:07:38.643: warning : virDomainDiskDefForeachPath:7672 : Ignoring open failure on /dev/main/fiddle2disk: No such file or directory
virt-aa-helper: warning: path does not exist, skipping file type checks
virt-aa-helper: error: /usr/lib/grub-rescue/grub-rescue-floppy.img
virt-aa-helper: error: skipped restricted file
virt-aa-helper: error: invalid VM definition

Copying grub-rescue-floppy.img to /tmp and adjusting the XML works as expected:
$ cat /tmp/foo.xml | /usr/lib/libvirt/virt-aa-helper -u libvirt-fd06659e-3354-cb8e-71d9-cfeeff86e60f -c --dryrun
virt-aa-helper: warning: path does not exist, skipping file type checks
14:16:18.725: warning : virDomainDiskDefForeachPath:7672 : Ignoring open failure on /media/more/isos/ubuntu-10.10-beta-desktop-i386.iso: No such file or directory
virt-aa-helper: warning: path does not exist, skipping file type checks
14:16:18.726: warning : virDomainDiskDefForeachPath:7672 : Ignoring open failure on /dev/main/fiddle2disk: No such file or directory
virt-aa-helper: warning: path does not exist, skipping file type checks
14:16:18.726: warning : virDomainDiskDefForeachPath:7672 : Ignoring open failure on /tmp/grub-rescue-floppy.img: No such file or directory
virt-aa-helper:
/etc/apparmor.d/libvirt/libvirt-fd06659e-3354-cb8e-71d9-cfeeff86e60f.files
virt-aa-helper:
  "/var/log/libvirt/**/fiddle2.log" w,
  "/var/lib/libvirt/**/fiddle2.monitor" rw,
  "/var/run/libvirt/**/fiddle2.pid" rwk,
  "/media/more/isos/ubuntu-10.10-beta-desktop-i386.iso" r,
  # don't audit writes to readonly files
  deny "/media/more/isos/ubuntu-10.10-beta-desktop-i386.iso" w,
  "/dev/main/fiddle2disk" rw,
  "/tmp/grub-rescue-floppy.img" r,
  # don't audit writes to readonly files
  deny "/tmp/grub-rescue-floppy.img" w,

virt-aa-helper:
/etc/apparmor.d/libvirt/libvirt-fd06659e-3354-cb8e-71d9-cfeeff86e60f
virt-aa-helper:
libvirt-fd06659e-3354-cb8e-71d9-cfeeff86e60f
virt-aa-helper:
#include <libvirt/libvirt-fd06659e-3354-cb8e-71d9-cfeeff86e60f.files>

Actually, this is happening because virt-aa-helper is exiting with error. Unfortunately, libvirt does not deal with this in a way that makes it easy to debug (ie 'Security labelling error').

Eg:
$ cat /tmp/fiddle2.xml | /usr/lib/libvirt/virt-aa-helper -u libvirt-fd06659e-3354-cb8e-71d9-cfeeff86e60f -c --dryrun
virt-aa-helper: warning: path does not exist, skipping file type checks
14:07:38.643: warning : virDomainDiskDefForeachPath:7672 : Ignoring open failure on /media/more/isos/ubuntu-10.10-beta-desktop-i386.iso: No such file or directory
virt-aa-helper: warning: path does not exist, skipping file type checks
14:07:38.643: warning : virDomainDiskDefForeachPath:7672 : Ignoring open failure on /dev/main/fiddle2disk: No such file or directory
virt-aa-helper: warning: path does not exist, skipping file type checks
virt-aa-helper: error: /usr/lib/grub-rescue/grub-rescue-floppy.img
virt-aa-helper: error:   skipped restricted file
virt-aa-helper: error: invalid VM definition

virt-aa-helper:
/etc/apparmor.d/libvirt/libvirt-fd06659e-3354-cb8e-71d9-cfeeff86e60f
virt-aa-helper:
libvirt-fd06659e-3354-cb8e-71d9-cfeeff86e60f
virt-aa-helper:
  #include <libvirt/libvirt-fd06659e-3354-cb8e-71d9-cfeeff86e60f.files>

Ubuntulibvirt package

Comment 3 for bug 647664

Ubuntu
libvirt package