libvirt apparmor policy does not allow /lib/udev/scsi_id
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Quantal |
Fix Released
|
Medium
|
Unassigned |
Bug Description
=======
SRU Justification:
1. Impact: virtual machines using an iSCSI storage pool do not work
2. Development fix: allow libvirt to execute /lib/udev/scsi_id
3. Stable fix: same as development fix
4. Test case: use an iscsi storage pool as backing store for a vm in
libvirt, and try to start it.
5. Regression potential: if there were a syntax error in the update, the
apparmor policy could refuse to load. Otherwise none.
=======
When using an iSCSI storage pool, libvirt tries to run /lib/udev/scsi_id, which is denied:
type=1400 audit(133582658
The apparmor policy should allow execution of /lib/udev/scsi_id.
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: libvirt-bin 0.9.8-2ubuntu17
ProcVersionSign
Uname: Linux 3.2.0-24-generic x86_64
ApportVersion: 2.0.1-0ubuntu7
Architecture: amd64
Date: Mon Apr 30 23:49:46 2012
InstallationMedia: Ubuntu-Server 12.04 LTS "Precise Pangolin" - Release amd64 (20120424.1)
ProcEnviron:
TERM=xterm
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.
# Site-specific additions and overrides for usr.sbin.libvirtd.
# For more details, please see /etc/apparmor.
/lib/udev/scsi_id PUx,
modified.
modified.
modified.
modified.
mtime.conffile.
mtime.conffile.
mtime.conffile.
mtime.conffile.
mtime.conffile.
Changed in libvirt (Ubuntu Quantal): | |
status: | Triaged → In Progress |
tags: |
added: verification-done removed: verification-needed |
Thanks for reporting this bug.
To work around it you should be able to add
/lib/udev/scsi_id PUx
to your /etc/apparmor. d/local/ usr.sbin. libvirtd file. If that does not suffice, that is, if you end up with a new denial message, please do let us know.