[Pkg-libvirt-maintainers] Bug#870626: libvirt-daemon-system: AppArmor blocks access to qcow2 volumes when backingStore != image

intrigeri at debian.org intrigeri at debian.org
Thu Aug 3 15:01:30 UTC 2017


Package: libvirt-daemon-system
Version: 3.5.0-1
Severity: important
Tags: fixed-upstream
Control: forwarded -1 https://www.redhat.com/archives/libvir-list/2017-July/msg00604.html

Hi,

Debian is affected by a regression that affects how virt-aa-helper
can update the .files AppArmor profile:
https://www.redhat.com/archives/libvir-list/2017-July/msg00604.html

This is supposedly fixed upstream in commit
5e515b542d7f0940396c74bf8f6cb337d5d0dcc5,
that is included in 3.6.0.

I'm reporting this here so that affected Debian users know what's
going on. I'm happy to try again once 3.6.0 is uploaded to sid,
feel free to close this bug in the 3.6.0-1 upload :)

In my case, qemu-img info says:

  image: /var/lib/libvirt/images/tails-builder-amd64-jessie-20170729-9043b1ef44_default.img
  backing file: /var/lib/libvirt/images/tails-builder-amd64-jessie-20170729-9043b1ef44_vagrant_box_image_0.img

The Journal says:

  AVC apparmor="DENIED" operation="open"
  profile="libvirt-f756c536-c6c3-4b5c-be95-2a7c2e39b06e"
  name="/var/lib/libvirt/images/tails-builder-amd64-jessie-20170729-9043b1ef44_vagrant_box_image_0.img"
  pid=22439 comm="qemu-system-x86" requested_mask="r" denied_mask="r"
  fsuid=119 ouid=119

And indeed
/etc/apparmor.d/libvirt/libvirt-f756c536-c6c3-4b5c-be95-2a7c2e39b06e.files
has nothing about tails-builder-amd64-jessie-20170729-9043b1ef44_vagrant_box_image_0.img.

Cheers,
-- 
intrigeri



More information about the Pkg-libvirt-maintainers mailing list