Ubuntu
libvirt package

  1. Maverick (10.10)
  2. Bug #632696
  3. Comment #18

Comment 18 for bug 632696

Revision history for this message
Serge Hallyn (serge-hallyn) wrote : Re: libvirt won't start a VM with serial or console when apparmor is enabled

I chowned and chmoded /srv/libvirt-storage-pool-1 to be

serge@sergelap:~/ $ ls -ld /srv/libvirt-storage-pool-1/
drwxr-x--- 2 root kvm 4096 2010-09-03 09:45 /srv/libvirt-storage-pool-1/

and made sure to be in the kvm group, but this still did not suffice. The errors
in the log are as usual:

[ 2844.242158] type=1400 audit(1284123328.335:34): apparmor="DENIED" operation="open" parent=1006 profile="libvirt-4b49b0f2-18e7-ef59-f9c6-d37703a6ca21" name="/proc/1011/fd/" pid=1011 comm="kvm" requested_mask="r" denied_mask="r" fsuid=117 ouid=117
[ 2844.242322] type=1400 audit(1284123328.335:35): apparmor="DENIED" operation="exec" parent=1006 profile="libvirt-4b49b0f2-18e7-ef59-f9c6-d37703a6ca21" name="/usr/lib/pt_chown" pid=1011 comm="kvm" requested_mask="x" denied_mask="x" fsuid=117 ouid=0

I did an apt-get dist-upgrade yesterday, don't know if that's what re-caused the error.

I re-added the 3 lines to /etc/apparmor.d/abstractions/libvirt-qemu
and did 'sudo /etc/init.d/apparmor restart; sudo restart libvirt-bin', after which it still
failed but with the error:

[ 3056.875668] type=1400 audit(1284123541.145:53): apparmor="DENIED" operation="capable" parent=6063 profile="libvirt-4b49b0f2-18e7-ef59-f9c6-d37703a6ca21" pid=6065 comm="pt_chown" capability=3 capname="fowner"

It's not clear to me if there is an easy (and safe) way to hand cap_fowner to pt_chown there?