Re: [libvirt] Live attaching a disk to a VM fails with apparmor enabled

Fri, 24 Mar 2017 01:18:03 -0700 

On Thu, Mar 23, 2017 at 01:28:57PM +0100, Cedric Bosdonnat wrote:
> Hello Frank,
> 
> I'm currently investigating some apparmor-related bug with namespaces. This 
> one
> is surely related. I'll look into it when I'm done with the one I'm working 
> on.

Assuming you're running the Jessie Kernel its likely:

    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002

To make sure it's the kernel and not libvirt have a look at:

    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002#51

Cheers,
 -- Guido

> 
> --
> Cedric
> 
> On Thu, 2017-03-23 at 12:07 +0000, Frank Schreuder wrote:
> > Hello,
> > 
> > I'm running libvirt 3.1.0 on a Debian 8 server. I installed apparmor and 
> > configured libvirt to use apparmor as
> > security driver.
> > After booting a VM, virsh dumpxml shows an apparmor seclabel.
> > 
> > As soon as I try to attach a second disk to the VM, apparmor blocks this.
> > 
> > virsh attach-device test-vps /tmp/virshXmlDefinition
> > error: Failed to attach device from /tmp/virshXmlDefinition
> > error: operation failed: Could not open '/mnt/images/disk2.raw': Permission 
> > denied
> > 
> > Syslogs shows me the following:
> > Mar 22 17:45:20 vps0 kernel: [1136647.318314] audit: type=1400 
> > audit(1490201120.577:30): apparmor="DENIED"
> > operation="open" profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859" 
> > name="/mnt/images/disk2.raw" pid=13453
> > comm="kvm" requested_mask="r" denied_mask="r" fsuid=996 ouid=33
> > Mar 22 17:45:20 vps0 kernel: [1136647.325155] audit: type=1400 
> > audit(1490201120.577:31): apparmor="DENIED"
> > operation="open" profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859" 
> > name="/mnt/images/disk2.raw" pid=13453
> > comm="kvm" requested_mask="rw" denied_mask="rw" fsuid=996 ouid=33
> > Mar 22 17:45:20 vps0 libvirtd[10282]: 2017-03-22 16:45:20.596+0000: 10283: 
> > error : qemuMonitorTextAddDrive:1968 :
> > operation failed: Could not open '/mnt/images/disk2.raw': Permission denied
> > 
> > In the VM specific apparmor file 
> > /etc/apparmor.d/libvirt/libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859.files 
> > I see:
> > "/mnt/images/disk1.raw" rw,
> > 
> > Which is my primary VM disk, I expected a virsh attach-device to append 
> > /mnt/images/disk2.raw to this file and
> > reload/refresh the apparmor profile?
> > 
> > I'm not able to attach a live disk to a running VM with apparmor. Am I 
> > missing something? Or is this a bug/missing
> > feature in libvirt?
> > 
> > Thanks,
> > Frank
> > --
> > libvir-list mailing list
> > [email protected]
> > https://www.redhat.com/mailman/listinfo/libvir-list
> 
> --
> libvir-list mailing list
> [email protected]
> https://www.redhat.com/mailman/listinfo/libvir-list
> 

--
libvir-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to