[libvirt-users] Using qemu active blockcommit results in 'Permission denied' error

Marcus Hoffmann bubu at bubu1.eu
Thu Jun 13 10:30:19 UTC 2019 

Hello Peter,

On 13.06.19 10:08, Peter Krempa wrote:
> On Tue, Jun 11, 2019 at 14:35:46 +0200, Peter Krempa wrote:
>> On Fri, May 31, 2019 at 14:03:40 +0200, Marcus Hoffmann wrote:
[...]
>>
>> I managed to reproduce this issue but when using selinux. I'll try to
>> fix it with selinux and will try to assess whether it has the possiblity
>> to fix apparmor too. I'll cc you on a patch when I'll be able to fix it.
> 
> 
> Well,
> 
> The problem I managed to fix had the same symptoms but probably was not
> what you see, as you are using libvirt 5.0.0 and I broke the permissions
> code in libvirt 5.4.0.
> 
> Unfortunately I can't tell what's wrong from the debug logs you've
> provided. Is there a possibility to collect anything from apparmor? In
> selinux world we do collect denials of the security model in a log file
> which might indicate what's happening.

As I wrote in my original email I *thought* I had disabled apparmor
enforcement for libvirt completely at this point. I'm not an apparmor
expert, so I'm really not too sure. I'll see if I can gather more
information.

> 
> Also I've pushed a patch which adds more logging to the
> permission-changing code executed while doing blockjobs:
> 
> commit e6635c626a252669c79a84fe0a2af11a361aa341 (HEAD -> master, origin/master, origin/HEAD)
> Author: Peter Krempa <pkrempa at redhat.com>
> Date:   Wed Jun 12 13:49:57 2019 +0200
> 
>     qemu: domain: Log some useful data in qemuDomainStorageSourceAccessModify
>     
>     Log the flags passed to the function in a exploded state so that it's
>     easily visible what's happening to the image.
>     
>     Signed-off-by: Peter Krempa <pkrempa at redhat.com>
>     Reviewed-by: Ján Tomko <jtomko at redhat.com>
> 
> Unfortunately that commit can't be applied to libvirt 5.0 because it
> depends on a refactor which I pushed in 5.4 (which also caused the
> problem I was fixing recently). If you could test the upstream version
> it would be great.
> 
> Thanks for reporting the problem and I'd be grateful if you could
> collect logs from the apparmor security thing.
> 


I'll try to upgrade to upstream libvirt. It will probably take me a bit
to get around to this.

Thanks looing into this.

Marcus

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20190613/a1c957fa/attachment.sig>

More information about the libvirt-users mailing list