[pkg-apparmor] Bug#805002: libvirt-client: "virsh attach-disk" fails with AppArmor enabled
Guido Günther
agx at sigxcpu.org
Fri Aug 4 03:01:51 UTC 2017
Hi,
On Thu, Aug 03, 2017 at 10:48:47AM -0400, intrigeri wrote:
> Hi,
>
> Guido Günther:
> > According to
>
> > https://www.redhat.com/archives/libvir-list/2017-March/msg01612.html
>
> > on Jessie with
>
> > Kernel 4.9.11
> > Apparmor 2.10
>
> > unbreaks attaching disks.
>
> for the record, the Linux kernel commit John referred to (ec34fa2)
> made it into Linux 4.8.
>
> Sadly, it seems that some aspect of reloading profiles is still
> somewhat broken for me on current sid, either in the parser or in the
> kernel (tested on apparmor 2.11.0-6+b2, Linux 4.11.0-2-amd64 version
> 4.11.11-1+b1).
>
> I've used the same testing procedure as Guido
> (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002#109), i.e.
> without involving virt-aa-helper.
>
> I see a denial logged:
>
> AVC apparmor="DENIED" operation="open"
> profile="libvirt-213ff882-ce4b-035d-e2b1-9059d66cd67d"
> name="/var/lib/libvirt/images/Jessie.qcow2" pid=20033
> comm="qemu-system-x86" requested_mask="rw" denied_mask="rw"
> fsuid=119 ouid=119
>
> … while apparmor_parser --debug -r libvirt-213ff882-ce4b-035d-e2b1-9059d66cd67d
> says access is allowed:
>
> Mode: rwa:rwa Name: (/var/lib/libvirt/images/Jessie.qcow2)
>
> John, is there anything I can do on my side to help debug this?
>
> Guido, Frank, Carlo: can you reproduce my results on Stretch and/or
> current sid?
Yes, I can still reproduce this on Buster.
Cheers,
-- Guido
More information about the pkg-apparmor-team
mailing list