[pkg-apparmor] Bug#805002: libvirt-client: "virsh attach-disk" fails with AppArmor enabled
intrigeri
intrigeri at debian.org
Thu Aug 3 14:48:47 UTC 2017
Hi,
Guido Günther:
> According to
> https://www.redhat.com/archives/libvir-list/2017-March/msg01612.html
> on Jessie with
> Kernel 4.9.11
> Apparmor 2.10
> unbreaks attaching disks.
for the record, the Linux kernel commit John referred to (ec34fa2)
made it into Linux 4.8.
Sadly, it seems that some aspect of reloading profiles is still
somewhat broken for me on current sid, either in the parser or in the
kernel (tested on apparmor 2.11.0-6+b2, Linux 4.11.0-2-amd64 version
4.11.11-1+b1).
I've used the same testing procedure as Guido
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002#109), i.e.
without involving virt-aa-helper.
I see a denial logged:
AVC apparmor="DENIED" operation="open"
profile="libvirt-213ff882-ce4b-035d-e2b1-9059d66cd67d"
name="/var/lib/libvirt/images/Jessie.qcow2" pid=20033
comm="qemu-system-x86" requested_mask="rw" denied_mask="rw"
fsuid=119 ouid=119
… while apparmor_parser --debug -r libvirt-213ff882-ce4b-035d-e2b1-9059d66cd67d
says access is allowed:
Mode: rwa:rwa Name: (/var/lib/libvirt/images/Jessie.qcow2)
John, is there anything I can do on my side to help debug this?
Guido, Frank, Carlo: can you reproduce my results on Stretch and/or
current sid?
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list