[libvirt] Live attaching a disk to a VM fails with apparmor enabled

Frank Schreuder fschreuder at transip.nl
Thu Mar 23 12:36:48 UTC 2017 

Hello Cedric,


Please let me know if you need any additional information. I would also be able to help you test patches regarding this issue.

I'm looking forward to your findings.


Thanks,

Frank

________________________________
Van: Cedric Bosdonnat <cbosdonnat at suse.com>
Verzonden: donderdag 23 maart 2017 13:28:57
Aan: Frank Schreuder; libvir-list at redhat.com
Onderwerp: Re: [libvirt] Live attaching a disk to a VM fails with apparmor enabled

Hello Frank,

I'm currently investigating some apparmor-related bug with namespaces. This one
is surely related. I'll look into it when I'm done with the one I'm working on.

--
Cedric

On Thu, 2017-03-23 at 12:07 +0000, Frank Schreuder wrote:
> Hello,
>
> I'm running libvirt 3.1.0 on a Debian 8 server. I installed apparmor and configured libvirt to use apparmor as
> security driver.
> After booting a VM, virsh dumpxml shows an apparmor seclabel.
>
> As soon as I try to attach a second disk to the VM, apparmor blocks this.
>
> virsh attach-device test-vps /tmp/virshXmlDefinition
> error: Failed to attach device from /tmp/virshXmlDefinition
> error: operation failed: Could not open '/mnt/images/disk2.raw': Permission denied
>
> Syslogs shows me the following:
> Mar 22 17:45:20 vps0 kernel: [1136647.318314] audit: type=1400 audit(1490201120.577:30): apparmor="DENIED"
> operation="open" profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859" name="/mnt/images/disk2.raw" pid=13453
> comm="kvm" requested_mask="r" denied_mask="r" fsuid=996 ouid=33
> Mar 22 17:45:20 vps0 kernel: [1136647.325155] audit: type=1400 audit(1490201120.577:31): apparmor="DENIED"
> operation="open" profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859" name="/mnt/images/disk2.raw" pid=13453
> comm="kvm" requested_mask="rw" denied_mask="rw" fsuid=996 ouid=33
> Mar 22 17:45:20 vps0 libvirtd[10282]: 2017-03-22 16:45:20.596+0000: 10283: error : qemuMonitorTextAddDrive:1968 :
> operation failed: Could not open '/mnt/images/disk2.raw': Permission denied
>
> In the VM specific apparmor file /etc/apparmor.d/libvirt/libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859.files I see:
> "/mnt/images/disk1.raw" rw,
>
> Which is my primary VM disk, I expected a virsh attach-device to append /mnt/images/disk2.raw to this file and
> reload/refresh the apparmor profile?
>
> I'm not able to attach a live disk to a running VM with apparmor. Am I missing something? Or is this a bug/missing
> feature in libvirt?
>
> Thanks,
> Frank
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20170323/54d2b919/attachment-0001.htm>

More information about the libvir-list mailing list