apparmor denies VM startup when image is network mounted
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Trusty |
Won't Fix
|
High
|
Unassigned | ||
Vivid |
Fix Released
|
High
|
Unassigned | ||
Wily |
Fix Released
|
High
|
Unassigned |
Bug Description
=======
SRU Justification
Impact: cannot start vms on nfs mounted disk images
Testcase: set up libvirt managed nfs mount, try to start a vm on it.
Fix: add 'network ipv6' permission to virt-aa-helper's apparmor policy.
Regression potential: this only adds permission to use 'ipv6', alongside the
existing support for 'ipv4'. There should be no regressions.
=======
If I attempt to start a VM with one of its disk images on a libvirt managed NFS mount, it fails:
Oct 30 15:30:56 athens kernel: [545232.917662] audit: type=1400 audit(144623345
Changed in libvirt (Ubuntu): | |
importance: | Undecided → High |
Changed in libvirt (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in libvirt (Ubuntu Vivid): | |
importance: | Undecided → High |
Changed in libvirt (Ubuntu Wily): | |
importance: | Undecided → High |
description: | updated |
Thanks for reporting this bug.
Can you show the xml for the libvirt managed nfs storage and for the VM?
The virt-aa-helper policy has
# needed for when disk is on a network filesystem
network inet,
Which I suspect should prevent this from happening, so I will target this at apparmor.