** Description changed: + Reproducing steps: + + 1) Sync Xenial cloud-image + uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial + + 2) Create a test guest with: + uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test release=xenial arch=amd64 label=daily + + 3) Create a zvol + zfs create -V 8G zlxd/xenial-kernel-test + + 4) Copy the qcow2 data to the zvol + qemu-img convert -O raw \ + /var/lib/uvtool/libvirt/images/xenial-kernel-test.qcow \ + /dev/zvol/zlxd/xenial-kernel-test + + 5) Update the guest definition to use the zvol + <disk type='file' device='disk'> + <driver name='qemu' type='raw' cache='none'/> + <source file='/dev/zvol/zlxd/xenial-kernel-test'/> + <target dev='vda' bus='virtio'/> + </disk> + + 6) boot the guest + virsh start xenial-kernel-test + + 7) check for apparmor denial messages + dmesg | tail | grep apparmor + + + Without the fix, Apparmor would report denials when accessing /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf, /run/resolvconf/resolv.conf and /dev/zvolX (where X corresponds to the zvol number). Starting the guest should be much slower than usual. + + With the fix in place, the only Apparmor denial would be about reading + the /dev/zvolx device. This causes no visible problem nor slowdown. + + + Original description: + With libvirt-bin 1.3.1, starting a QEMU guest results in those AA denials: Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 audit(1455728783.639:73): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 audit(1455728783.639:74): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 audit(1455728783.639:75): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 audit(1455728783.639:76): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 - - virt-aa-helper's AA profile hasn't changed recently so it seems like the helper is doing more in this release. + virt-aa-helper's AA profile hasn't changed recently so it seems like the + helper is doing more in this release. Additional information: $ lsb_release -rd Description: Ubuntu Xenial Xerus (development branch) Release: 16.04 $ apt-cache policy apparmor libvirt-bin apparmor: - Installed: 2.10-3ubuntu1 - Candidate: 2.10-3ubuntu1 - Version table: - *** 2.10-3ubuntu1 500 - 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages - 100 /var/lib/dpkg/status + Installed: 2.10-3ubuntu1 + Candidate: 2.10-3ubuntu1 + Version table: + *** 2.10-3ubuntu1 500 + 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages + 100 /var/lib/dpkg/status libvirt-bin: - Installed: 1.3.1-1ubuntu1 - Candidate: 1.3.1-1ubuntu1 - Version table: - *** 1.3.1-1ubuntu1 500 - 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages - 100 /var/lib/dpkg/status + Installed: 1.3.1-1ubuntu1 + Candidate: 1.3.1-1ubuntu1 + Version table: + *** 1.3.1-1ubuntu1 500 + 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages + 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: libvirt-bin 1.3.1-1ubuntu1 ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1 Uname: Linux 4.4.0-5-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20-0ubuntu3 Architecture: amd64 CurrentDesktop: Unity Date: Wed Feb 17 13:08:04 2016 KernLog: - + SourcePackage: libvirt UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'] modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted]
** Description changed: Reproducing steps: 1) Sync Xenial cloud-image uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=xenial 2) Create a test guest with: uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test release=xenial arch=amd64 label=daily 3) Create a zvol zfs create -V 8G zlxd/xenial-kernel-test 4) Copy the qcow2 data to the zvol qemu-img convert -O raw \ - /var/lib/uvtool/libvirt/images/xenial-kernel-test.qcow \ - /dev/zvol/zlxd/xenial-kernel-test + /var/lib/uvtool/libvirt/images/xenial-kernel-test.qcow \ + /dev/zvol/zlxd/xenial-kernel-test 5) Update the guest definition to use the zvol - <disk type='file' device='disk'> - <driver name='qemu' type='raw' cache='none'/> - <source file='/dev/zvol/zlxd/xenial-kernel-test'/> - <target dev='vda' bus='virtio'/> - </disk> + <disk type='file' device='disk'> + <driver name='qemu' type='raw' cache='none'/> + <source file='/dev/zvol/zlxd/xenial-kernel-test'/> + <target dev='vda' bus='virtio'/> + </disk> 6) boot the guest virsh start xenial-kernel-test 7) check for apparmor denial messages dmesg | tail | grep apparmor - - Without the fix, Apparmor would report denials when accessing /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf, /run/resolvconf/resolv.conf and /dev/zvolX (where X corresponds to the zvol number). Starting the guest should be much slower than usual. + Without the fix, Apparmor would report denials when accessing + /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf, + /run/resolvconf/resolv.conf and /dev/zdX (where X corresponds to the + zvol number). Starting the guest should be much slower than usual. With the fix in place, the only Apparmor denial would be about reading - the /dev/zvolx device. This causes no visible problem nor slowdown. - + the /dev/zdx device. This causes no visible problem nor slowdown. Original description: With libvirt-bin 1.3.1, starting a QEMU guest results in those AA denials: Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 audit(1455728783.639:73): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 audit(1455728783.639:74): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 audit(1455728783.639:75): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 audit(1455728783.639:76): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/run/resolvconf/resolv.conf" pid=23156 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 virt-aa-helper's AA profile hasn't changed recently so it seems like the helper is doing more in this release. Additional information: $ lsb_release -rd Description: Ubuntu Xenial Xerus (development branch) Release: 16.04 $ apt-cache policy apparmor libvirt-bin apparmor: Installed: 2.10-3ubuntu1 Candidate: 2.10-3ubuntu1 Version table: *** 2.10-3ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status libvirt-bin: Installed: 1.3.1-1ubuntu1 Candidate: 1.3.1-1ubuntu1 Version table: *** 1.3.1-1ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: libvirt-bin 1.3.1-1ubuntu1 ProcVersionSignature: Ubuntu 4.4.0-5.20-generic 4.4.1 Uname: Linux 4.4.0-5-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20-0ubuntu3 Architecture: amd64 CurrentDesktop: Unity Date: Wed Feb 17 13:08:04 2016 KernLog: SourcePackage: libvirt UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'] modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted] -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1546674 Title: virt-aa-helper Apparmor profile missing rules for name resolution To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
