[pkg-apparmor] Bug#931470: In debian buster: apparmor denies sys_rawio capability from libvirtd which happens when using scsi disks
Katerina Koukiou
kkoukiou at redhat.com
Fri Jul 5 16:29:35 BST 2019
Package:libapparmor1
When trying to create VMs with disks on scsi apparmor will show
warnings in journal.
Relevant packages versions:
libapparmor1/testing,now 2.13.2-10 amd64
libvirt-daemon-system/testing,now 5.0.0-4 amd64
The apparmor warning line from journal is the following:
audit: type=1400 audit(1562337821.518:28): apparmor="DENIED"
operation="capable" profile="/usr/sbin/libvirtd"
pid=1611comm="libvirt_parthel" capability=17 capname="sys_rawio"
As I said, the above warning shows up when trying to run a VM with an scsi disk:
In order to reproduce the above warning run a VM with the following command:
virt-install --connect qemu:///system --name test --os-variant
fedora-unknown --memory 500 --vcpus 1 --wait -1 --noautoconsole
--noreboot --disk
path=/dev/sda1,device=disk,bus=virtio,readonly=off,shareable=off,cache=none,driver_name=qemu,driver_type=raw,io=native
--cdrom https://localhost:8000/novell.iso
Where /dev/sda1 is a partition on a scsi disk as you can see
root at unassigned-hostname:~# ls -la /dev/disk/by-id/ | grep sda
lrwxrwxrwx 1 root root 9 Jul 5 11:24 pci-0000:00:02.0-scsi-0:0:2:0
-> ../../sda
lrwxrwxrwx 1 root root 10 Jul 5 11:24
pci-0000:00:02.0-scsi-0:0:2:0-part1 -> ../../sda1
Expected behavior:
Since CAP_SYS_RAWIO is needed to perform various SCSI device commands
I would expect that the apparmor profile would be extended to allow
that capability.
Regards,
Katerina
More information about the pkg-apparmor-team
mailing list