Hello. I'm having the same problem. I just upgraded to 14.10 (from
14.04).
'service libvirt-bin start' fails to start (althrough it gives a pid).
/var/log/libvirt/libvirtd.log
2015-03-10 03:22:13.546+0000: 10223: info : libvirt version: 1.2.8, package:
1.2.8-0ubuntu11.4
2015-03-10 03:22:13.546+0000: 10223: error : virAuditOpen:62 : Unable to
initialize audit layer: Permission denied
2015-03-10 03:22:13.548+0000: 10223: error : virNetlinkEventServiceStart:544 :
cannot connect to netlink socket with protocol 0: Permission denied
/etc/apparmor.d/usr.sbin.libvirtd
# Last Modified: Mon Jul 6 17:23:58 2009
#include <tunables/global>
@{LIBVIRT}="libvirt"
/usr/sbin/libvirtd {
#include <abstractions/base>
#include <abstractions/dbus>
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.libvirtd>
capability kill,
capability net_admin,
capability net_raw,
capability setgid,
capability sys_admin,
capability sys_module,
capability sys_ptrace,
capability sys_nice,
capability sys_chroot,
capability setuid,
capability dac_override,
capability dac_read_search,
capability fowner,
capability chown,
capability setpcap,
capability mknod,
capability fsetid,
capability ipc_lock,
capability audit_write,
# Needed for vfio
capability sys_resource,
network inet stream,
network inet dgram,
network inet6 stream,
network inet6 dgram,
network packet dgram,
network netlink,
dbus bus=system,
signal,
ptrace,
unix,
# for now, use a very lenient profile since we want to first focus on
# confining the guests
/ r,
/** rwmkl,
/bin/* PUx,
/sbin/* PUx,
/usr/bin/* PUx,
/usr/sbin/* PUx,
/lib/udev/scsi_id PUx,
/usr/lib/xen-common/bin/xen-toolstack PUx,
/usr/lib/xen-*/bin/pygrub PUx,
/usr/lib/xen-*/bin/libxl-save-helper PUx,
# Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
# write and run an ebtables script.
/var/lib/libvirt/virtd* ixr,
# force the use of virt-aa-helper
audit deny /sbin/apparmor_parser rwxl,
audit deny /etc/apparmor.d/libvirt/** wxl,
audit deny /sys/kernel/security/apparmor/features rwxl,
audit deny /sys/kernel/security/apparmor/matching rwxl,
audit deny /sys/kernel/security/apparmor/.* rwxl,
/sys/kernel/security/apparmor/profiles r,
/usr/lib/libvirt/* PUxr,
/etc/libvirt/hooks/** rmix,
/etc/xen/scripts/** rmix,
# allow changing to our UUID-based named profiles
change_profile ->
@{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
}
After 'aa-audit /usr/sbin/libvirtd' everything seems to work, but with a
lot of chat in dmesg.
I can spend some time debugging this but I'll need someone to guide me.
Regards,
Norberto
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1386465
Title:
apparmor profile prevents libvirtd from creating a socket
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1386465/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
