libvirt apparmor policy does not allow /lib/udev/scsi_id

Bug #992378 reported by Richard Laager on 2012-05-01
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)

Bug Description

SRU Justification:
1. Impact: virtual machines using an iSCSI storage pool do not work
2. Development fix: allow libvirt to execute /lib/udev/scsi_id
3. Stable fix: same as development fix
4. Test case: use an iscsi storage pool as backing store for a vm in
libvirt, and try to start it.
5. Regression potential: if there were a syntax error in the update, the
apparmor policy could refuse to load. Otherwise none.
When using an iSCSI storage pool, libvirt tries to run /lib/udev/scsi_id, which is denied:

type=1400 audit(1335826589.499:26): apparmor="DENIED" operation="exec" parent=29400 profile="/usr/sbin/libvirtd" name="/lib/udev/scsi_id" pid=30552 comm="libvirtd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

The apparmor policy should allow execution of /lib/udev/scsi_id.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: libvirt-bin 0.9.8-2ubuntu17
ProcVersionSignature: Ubuntu 3.2.0-24.37-generic 3.2.14
Uname: Linux 3.2.0-24-generic x86_64
ApportVersion: 2.0.1-0ubuntu7
Architecture: amd64
Date: Mon Apr 30 23:49:46 2012
InstallationMedia: Ubuntu-Server 12.04 LTS "Precise Pangolin" - Release amd64 (20120424.1)
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
 # Site-specific additions and overrides for usr.sbin.libvirtd.
 # For more details, please see /etc/apparmor.d/local/README.
 /lib/udev/scsi_id PUx,
modified.conffile..etc.logrotate.d.libvirtd: [modified]
modified.conffile..etc.logrotate.d.libvirtd.lxc: [modified]
modified.conffile..etc.logrotate.d.libvirtd.qemu: [modified]
modified.conffile..etc.logrotate.d.libvirtd.uml: [modified]
mtime.conffile..etc.apparmor.d.local.usr.sbin.libvirtd: 2012-04-30T21:41:20.815809
mtime.conffile..etc.logrotate.d.libvirtd: 2012-04-30T17:53:14.571061
mtime.conffile..etc.logrotate.d.libvirtd.lxc: 2012-04-30T17:53:14.575062
mtime.conffile..etc.logrotate.d.libvirtd.qemu: 2012-04-30T17:53:14.575062
mtime.conffile..etc.logrotate.d.libvirtd.uml: 2012-04-30T17:53:14.579062

Richard Laager (rlaager) wrote :
Serge Hallyn (serge-hallyn) wrote :

Thanks for reporting this bug.

To work around it you should be able to add

/lib/udev/scsi_id PUx

to your /etc/apparmor.d/local/usr.sbin.libvirtd file. If that does not suffice, that is, if you end up with a new denial message, please do let us know.

Changed in libvirt (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Richard Laager (rlaager) wrote :

I did. That file was attached to this bug report. I don't get any other denials.

Changed in libvirt (Ubuntu Quantal):
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 0.9.8-2ubuntu18

libvirt (0.9.8-2ubuntu18) quantal; urgency=low

  * debian/apparmor/usr.sbin.libvirtd: allow execution of /lib/udev/scsi_id
    (LP: #992378)
 -- Serge Hallyn <email address hidden> Wed, 02 May 2012 14:02:32 -0500

Changed in libvirt (Ubuntu Quantal):
status: In Progress → Fix Released
Serge Hallyn (serge-hallyn) wrote :

Thanks, Richard. I've uploaded the fix for quantal. To permit the SRU for precise, could you check the 'test case' ('#4') in the sru justification in the description and make sure it's right? I've pushed the tree to precise-proposed, but will wait for your ok to subscribe the ubuntu-sru team to this bug.

description: updated

Hello Richard, or anyone else affected,

Accepted libvirt into precise-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See for documentation how to enable and use -proposed. Thank you in advance!

Changed in libvirt (Ubuntu Precise):
status: New → Fix Committed
tags: added: verification-needed
Richard Laager (rlaager) wrote :

The package in precise-proposed looks good.

Martin Pitt (pitti) on 2012-05-14
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 0.9.8-2ubuntu17.1

libvirt (0.9.8-2ubuntu17.1) precise-proposed; urgency=low

  * debian/apparmor/usr.sbin.libvirtd: allow execution of /lib/udev/scsi_id
    (LP: #992378)
 -- Serge Hallyn <email address hidden> Wed, 02 May 2012 14:02:32 -0500

Changed in libvirt (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers