[Pkg-libvirt-maintainers] Bug#1030684: libvirtd: apparmor DENIED for /etc/ssl/openssl.cnf results in VM paused with IO error

Arturo Borrero Gonzalez arturo at debian.org
Mon Feb 6 13:29:42 GMT 2023 

Package: libvirt-daemon-system
Version: 9.0.0-1
Severity: normal

Dear maintainers,

thanks for your work with this package, really appreciated.

Today, working with libvirt/virt-manager in a freshly installed Debian Testing system (bookwoorm)
I installed a virtual machine that would pause on its own after some use time, with I/O error.

When checking the `dmesg` utility, I found and apparmor DENIED entry:

audit: type=1400 audit(1675687963.952:121): apparmor="DENIED" operation="open" profile="libvirt-ff5c79a6-f53b-473b-b181-f1148e861bde" name="/etc/ssl/openssl.cnf" pid=40557 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0

I've tested several VMs and they all go into this IO error state with similar apparmor messages after a while.

Other bugs I've read for similar problems are the following:
* #971837 -- libvirt-daemon: apparmor error when creating VM
* #934459 -- AppArmor configuration doesn't cover openssl.cnf in /etc/ssl/

regards.


-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-3-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libvirt-daemon-system depends on:
ii  adduser                         3.130
ii  debconf [debconf-2.0]           1.5.82
ii  gettext-base                    0.21-11
ii  iptables                        1.8.9-2
ii  libvirt-clients                 9.0.0-1
ii  libvirt-daemon                  9.0.0-1
ii  libvirt-daemon-config-network   9.0.0-1
ii  libvirt-daemon-config-nwfilter  9.0.0-1
ii  libvirt-daemon-system-systemd   9.0.0-1
ii  logrotate                       3.21.0-1
ii  polkitd                         122-3

Versions of packages libvirt-daemon-system recommends:
ii  dmidecode                    3.4-1
ii  dnsmasq-base [dnsmasq-base]  2.88-1
ii  iproute2                     6.1.0-1
ii  mdevctl                      1.2.0-3
ii  parted                       3.5-3

Versions of packages libvirt-daemon-system suggests:
ii  apparmor    3.0.8-2+b1
pn  auditd      <none>
pn  nfs-common  <none>
pn  open-iscsi  <none>
pn  pm-utils    <none>
ii  systemd     252.5-2
pn  systemtap   <none>
pn  zfsutils    <none>

-- Configuration Files:
/etc/libvirt/qemu.conf [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'

-- debconf information:
  libvirt-daemon-system/id_warning: true

More information about the Pkg-libvirt-maintainers mailing list