[Pkg-libvirt-maintainers] Bug#846534: libvirt-daemon-system: VM with usb host device fails to start when apparmor is enabled
Kjö Hansi Glaz
kjo at a4nancy.net.eu.org
Thu Dec 1 22:41:05 UTC 2016
Package: libvirt-daemon-system
Version: 2.4.0-2
Severity: normal
Dear Maintainer,
* What led up to the situation?
Define a VM with an USB host device:
<hostdev mode='subsystem' type='usb' managed='yes'>
<source>
<vendor id='0x1234'/>
<product id='0x5678'/>
</source>
<address type='usb' bus='0' port='4'/>
</hostdev>
* What exactly did you do (or not do) that was effective (or
ineffective)?
Try to start the VM on a system with apparmor enabled
* What was the outcome of this action?
libvirtError: internal error: qemu unexpectedly closed the monitor: 2016-12-01T22:30:29.196276Z qemu-system-x86_64: -device usb-host,hostbus=3,hostaddr=5,id=hostdev0,bus=usb.0,port=4: failed to find host usb device 3:5
The system journal contains apparmor errors, see below.
* What outcome did you expect instead?
The VM to start.
* Notes
Please note that there is an ubuntu bug for this issue:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1515791
* System log when starting the VM:
déc. 01 23:34:34 host audit[8338]: AVC apparmor="STATUS" operation="profile_replace" name="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" pid=8338 comm="apparmor_parser"
déc. 01 23:34:34 host kernel: audit: type=1400 audit(1480631674.577:394): apparmor="STATUS" operation="profile_replace" name="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" pid=8338 comm="apparmor_parser"
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/sys/module/vhost/parameters/max_mem_regions" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host kernel: audit: type=1400 audit(1480631674.625:395): apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/sys/module/vhost/parameters/max_mem_regions" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/proc/8340/task/8343/comm" pid=8340 comm="qemu-system-x86" requested_mask="rw" denied_mask="rw" fsuid=117 ouid=117
déc. 01 23:34:34 host kernel: audit: type=1400 audit(1480631674.625:396): apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/proc/8340/task/8343/comm" pid=8340 comm="qemu-system-x86" requested_mask="rw" denied_mask="rw" fsuid=117 ouid=117
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/proc/8340/task/8344/comm" pid=8340 comm="qemu-system-x86" requested_mask="rw" denied_mask="rw" fsuid=117 ouid=117
déc. 01 23:34:34 host kernel: audit: type=1400 audit(1480631674.625:397): apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/proc/8340/task/8344/comm" pid=8340 comm="qemu-system-x86" requested_mask="rw" denied_mask="rw" fsuid=117 ouid=117
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/c189:256" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/+usb:2-1:1.0" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/c189:129" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/c189:0" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/+usb:1-1.1:1.1" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/+usb:3-0:1.0" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/+usb:2-1.8.3:1.1" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/c189:132" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/+usb:2-1.8.1:1.0" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/c189:260" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/+usb:2-1.8.1.3:1.2" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/c189:2" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/+usb:2-1.8.1.3:1.0" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/c189:1" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/+usb:3-1:1.0" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/+usb:1-0:1.0" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/c189:384" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/+usb:2-1.8.2:1.0" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/+usb:4-0:1.0" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/c189:136" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/c189:128" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/+usb:1-1.1:1.2" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/+usb:2-1.8.3:1.2" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/c189:134" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/c189:130" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/+usb:3-2:1.0" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/+usb:2-1.8.1.3:1.3" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/+usb:1-1.1:1.0" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/+usb:1-1:1.0" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/+usb:2-1.8.3:1.0" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/c189:131" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/c189:257" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/+usb:2-1.8.1.3:1.1" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/+usb:2-0:1.0" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host audit[8340]: AVC apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/+usb:2-1.8:1.0" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host kernel: audit: type=1400 audit(1480631674.645:398): apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/c189:256" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host kernel: audit: type=1400 audit(1480631674.645:399): apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/+usb:2-1:1.0" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host kernel: audit: type=1400 audit(1480631674.645:400): apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/c189:129" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host kernel: audit: type=1400 audit(1480631674.645:401): apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/c189:0" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host kernel: audit: type=1400 audit(1480631674.645:402): apparmor="DENIED" operation="open" profile="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" name="/run/udev/data/+usb:1-1.1:1.1" pid=8340 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
déc. 01 23:34:34 host libvirtd[1038]: Unable to read from monitor: Connexion ré-initialisée par le correspondant
déc. 01 23:34:34 host libvirtd[1038]: internal error: qemu unexpectedly closed the monitor: 2016-12-01T22:34:34.651054Z qemu-system-x86_64: -device usb-host,hostbus=3,hostaddr=5,id=hostdev0,bus=usb.0,port=4: failed to find host usb device 3:5
déc. 01 23:34:34 host virtlogd[6305]: End of file while reading data: Erreur d'entrée/sortie
déc. 01 23:34:34 host virtlogd[6305]: End of file while reading data: Erreur d'entrée/sortie
déc. 01 23:34:34 host audit[8350]: AVC apparmor="STATUS" operation="profile_remove" name="libvirt-bd2a0f7a-1637-4dc2-90c4-55b9b1980d86" pid=8350 comm="apparmor_parser"
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (900, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libvirt-daemon-system depends on:
ii adduser 3.115
ii gettext-base 0.19.8.1-1
ii init-system-helpers 1.46
ii libapparmor1 2.10.95-6
ii libaudit1 1:2.6.7-1
ii libblkid1 2.29-1
ii libc6 2.24-7
ii libcap-ng0 0.7.7-3
ii libdbus-1-3 1.10.14-1
ii libdevmapper1.02.1 2:1.02.136-1
ii libnl-3-200 3.2.27-1
ii libnl-route-3-200 3.2.27-1
ii libnuma1 2.0.11-2
ii librados2 0.80.11-1.1
ii librbd1 0.80.11-1.1
ii libselinux1 2.6-3
ii libvirt-clients 2.4.0-2
ii libvirt-daemon 2.4.0-2
ii libvirt0 2.4.0-2
ii libxml2 2.9.4+dfsg1-2.1
ii libyajl2 2.1.0-2
ii logrotate 3.8.7-2
ii policykit-1 0.105-17
Versions of packages libvirt-daemon-system recommends:
ii bridge-utils 1.5-10
ii dmidecode 3.0-4
ii dnsmasq-base 2.76-4
ii ebtables 2.0.10.4-3.5
ii iproute2 4.8.0-1
pn iptables <none>
ii parted 3.2-16+b1
Versions of packages libvirt-daemon-system suggests:
ii apparmor 2.10.95-6
pn auditd <none>
ii nfs-common 1:1.2.8-9.2
ii pm-utils 1.4.1-16
pn radvd <none>
ii systemd 232-7
pn systemtap <none>
pn zfsutils <none>
-- Configuration Files:
/etc/libvirt/nwfilter/allow-arp.xml [Errno 13] Permission non accordée: u'/etc/libvirt/nwfilter/allow-arp.xml'
/etc/libvirt/nwfilter/allow-dhcp-server.xml [Errno 13] Permission non accordée: u'/etc/libvirt/nwfilter/allow-dhcp-server.xml'
/etc/libvirt/nwfilter/allow-dhcp.xml [Errno 13] Permission non accordée: u'/etc/libvirt/nwfilter/allow-dhcp.xml'
/etc/libvirt/nwfilter/allow-incoming-ipv4.xml [Errno 13] Permission non accordée: u'/etc/libvirt/nwfilter/allow-incoming-ipv4.xml'
/etc/libvirt/nwfilter/allow-ipv4.xml [Errno 13] Permission non accordée: u'/etc/libvirt/nwfilter/allow-ipv4.xml'
/etc/libvirt/nwfilter/clean-traffic.xml [Errno 13] Permission non accordée: u'/etc/libvirt/nwfilter/clean-traffic.xml'
/etc/libvirt/nwfilter/no-arp-ip-spoofing.xml [Errno 13] Permission non accordée: u'/etc/libvirt/nwfilter/no-arp-ip-spoofing.xml'
/etc/libvirt/nwfilter/no-arp-mac-spoofing.xml [Errno 13] Permission non accordée: u'/etc/libvirt/nwfilter/no-arp-mac-spoofing.xml'
/etc/libvirt/nwfilter/no-arp-spoofing.xml [Errno 13] Permission non accordée: u'/etc/libvirt/nwfilter/no-arp-spoofing.xml'
/etc/libvirt/nwfilter/no-ip-multicast.xml [Errno 13] Permission non accordée: u'/etc/libvirt/nwfilter/no-ip-multicast.xml'
/etc/libvirt/nwfilter/no-ip-spoofing.xml [Errno 13] Permission non accordée: u'/etc/libvirt/nwfilter/no-ip-spoofing.xml'
/etc/libvirt/nwfilter/no-mac-broadcast.xml [Errno 13] Permission non accordée: u'/etc/libvirt/nwfilter/no-mac-broadcast.xml'
/etc/libvirt/nwfilter/no-mac-spoofing.xml [Errno 13] Permission non accordée: u'/etc/libvirt/nwfilter/no-mac-spoofing.xml'
/etc/libvirt/nwfilter/no-other-l2-traffic.xml [Errno 13] Permission non accordée: u'/etc/libvirt/nwfilter/no-other-l2-traffic.xml'
/etc/libvirt/nwfilter/no-other-rarp-traffic.xml [Errno 13] Permission non accordée: u'/etc/libvirt/nwfilter/no-other-rarp-traffic.xml'
/etc/libvirt/nwfilter/qemu-announce-self-rarp.xml [Errno 13] Permission non accordée: u'/etc/libvirt/nwfilter/qemu-announce-self-rarp.xml'
/etc/libvirt/nwfilter/qemu-announce-self.xml [Errno 13] Permission non accordée: u'/etc/libvirt/nwfilter/qemu-announce-self.xml'
/etc/libvirt/qemu.conf [Errno 13] Permission non accordée: u'/etc/libvirt/qemu.conf'
/etc/libvirt/qemu/networks/default.xml [Errno 13] Permission non accordée: u'/etc/libvirt/qemu/networks/default.xml'
-- no debconf information
More information about the Pkg-libvirt-maintainers
mailing list