[Pkg-libvirt-maintainers] Bug#996355: libvirt: When apparmor is enabled and VM uses LVM, cannot start QEMU VMs anymore

Giuseppe Sacco eppesuig at debian.org
Wed Oct 13 12:37:17 BST 2021 

Source: libvirt
Severity: important

Dear Maintainer,
since a few weeks all VMs stopped working. This is on a Debian 11 installed
on March from testing distribution, eventually updated to stable once
bullseye has been released.
All VM use LVM volumes as disks. Now, when libvirt tries to start them, it
stops with this error that I found in /var/log/libvirt/qemu/ad.log (text
wrapped by me)

2021-10-13T09:02:14.020416Z qemu-system-x86_64: -blockdev 
{"driver":"host_device","filename":"/dev/vg/ad","aio":"threads"a
,"node-name":"libvirt-3-storage","cache":{"direct":false,"no-flush":true},
"auto-read-only":true,"discard":"unmap"}: Could not open '/dev/vg/ad':
Permission denied
2021-10-13 09:02:14.098+0000: shutting down, reason=failed

at the same time I see an error in syslog from apparmor (again, text
wrapped by me):

audit: type=1400 audit(1634115229.330:59): apparmor="DENIED"
operation="open" profile="libvirt-2351395b-d8e8-4b8f-8c2f-59787002e863"
name="/dev/dm-3" pid=6720 comm="qemu-system-x86" requested_mask="r"
denied_mask="r" fsuid=64055 ouid=64055

I looked for any solutions on the Internet and found that the apparmor
profile is rebuilt from a template configured in
/etc/apparmor.d/libvirt/TEMPLATE.qemu,
so I tried to add new rules for my LVM volumes:

profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
  #include <abstractions/libvirt-qemu>
  /dev/vg/ad rk,
  /dev/vg/db rk,
  /dev/vg/db-dati rk,
  /dev/vg/os rk,
  /dev/vg/os-dati rk,
}

but it did not work. I don't know if this is important, but please note
that I used the volume names found in the qemu error message even if they
are not the ones from the apparmor error message. In fact they are links:

lrwxrwxrwx 1 root root 7 13 ott 11.02 /dev/vg/ad -> ../dm-3

Thank you very much,
Giuseppe

-- System Information:
Debian Release: 11.1
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-9-amd64 (SMP w/4 CPU threads)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

More information about the Pkg-libvirt-maintainers mailing list