Public bug reported:
The libvirt-qemu policy has:
# for rbd
/etc/ceph/ceph.conf r,
/usr/lib/x86_64-linux-gnu/qemu/block-rbd.so rm,
# for curl
/usr/lib/x86_64-linux-gnu/qemu/block-curl.so rm,
but starting VMs on up to date xenial resulted in:
[114243.449268] audit: type=1400 audit(1457474901.712:270): apparmor="DENIED"
operation="file_mmap" profile="libvirt-3d246994-6329-40df-8b96-4fe95c52f12e"
name="/usr/lib/x86_64-linux-gnu/qemu/block-iscsi.so" pid=29571
comm="qemu-system-x86" requested_mask="m" denied_mask="m" fsuid=128 ouid=0
[114243.499942] audit: type=1400 audit(1457474901.760:271): apparmor="DENIED"
operation="file_mmap" profile="libvirt-3d246994-6329-40df-8b96-4fe95c52f12e"
name="/usr/lib/x86_64-linux-gnu/qemu/block-dmg.so" pid=29571
comm="qemu-system-x86" requested_mask="m" denied_mask="m" fsuid=128 ouid=0
I suggest instead of the above doing:
/usr/lib/@{multiarch}/qemu/*.so rm,
This will work on non-amd64 and will help future proof new helper libs.
** Affects: libvirt (Ubuntu)
Importance: Undecided
Status: New
** Tags: apparmor
** Tags added: apparmor
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1554761
Title:
missing rules for block-iscsi.so and block-dmg.so
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1554761/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
