kernel-packages team mailing list archive

Thread
Date
[Bug 453335] Re: apparmor complains about write access to a readonly file

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: NightShade <453335@xxxxxxxxxxxxxxxxxx>
Date: Tue, 06 Jan 2015 23:50:05 -0000
Reply-to: Bug 453335 <453335@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
I  think this is actually causing a moderately serious regression with
snapshots.

If you look at the contents of an apparmor define for an example VM the
deny that silences the error here also prevents snapshot commits from
working and because the error is hidden makes this extra difficult to
debug.

  "/var/log/libvirt/**/OpenWRT.log" w,
  "/var/lib/libvirt/**/OpenWRT.monitor" rw,
  "/var/run/libvirt/**/OpenWRT.pid" rwk,
  "/run/libvirt/**/OpenWRT.pid" rwk,
  "/var/run/libvirt/**/*.tunnelmigrate.dest.OpenWRT" rw,
  "/run/libvirt/**/*.tunnelmigrate.dest.OpenWRT" rw,
  "/var/lib/libvirt/images/openwrt-x86-kvm_guest-combined-ext4-zfs-1.qcow2" rw,
  "/var/lib/libvirt/images/openwrt-x86-kvm_guest-combined-ext4.img" r,
  # don't audit writes to readonly files
  deny "/var/lib/libvirt/images/openwrt-x86-kvm_guest-combined-ext4.img" w,
  /dev/vhost-net rw,
  "/var/lib/libvirt/images/openwrt-x86-kvm_guest-combined-ext4.img" rw,

The bug number for the snapshot bug is #453335

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/453335

Title:
  apparmor complains about write access to a readonly file

Status in libvirt package in Ubuntu:
  Fix Released
Status in linux package in Ubuntu:
  Fix Released
Status in libvirt source package in Lucid:
  Fix Released
Status in linux source package in Lucid:
  Fix Released
Status in libvirt source package in Karmic:
  Fix Released
Status in linux source package in Karmic:
  Fix Released

Bug description:
  When doing libvirt/apparmor ISO testing, I noticed that if I try to create a VM via an ISO image, I get the following apparmor denied message:
  type=APPARMOR_DENIED msg=audit(1255714703.311:56): operation="open" pid=31330 parent=1 profile="libvirt-7e7f916e-ff5a-c997-e9f6-c379793fd5be" requested_mask="::rw" denied_mask="::w" fsuid=0 ouid=1000 name="/home/jamie/vms/isos/karmic/karmic-desktop-i386.iso"

  What is happening is that libvirt is for some reason trying to write to this file, but it shouldn't. virt-manager shows this device as readonly and the XML for the VM shows it too:
      <disk type='file' device='cdrom'>
        <source file='/home/jamie/vms/isos/karmic/karmic-desktop-i386.iso'/>
        <target dev='hdc' bus='ide'/>
        <readonly/>
      </disk>

  The installation proceeds just fine and this isn't a regression, but
  libvirt should not try to write to installation media like this.  I
  encountered this when installing via virt-manager using the following:
  local ISO, os type: generic/generic, kvm/i686, 512, 1 vcpu, 8GB disk,
  don't allocate now

  ProblemType: Bug
  Architecture: amd64
  Date: Fri Oct 16 12:47:32 2009
  DistroRelease: Ubuntu 9.10
  Package: libvirt-bin 0.7.0-1ubuntu11
  ProcEnviron:
   PATH=(custom, user)
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcVersionSignature: Ubuntu 2.6.31-14.47-generic
  SourcePackage: libvirt
  Uname: Linux 2.6.31-14-generic x86_64

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/453335/+subscriptions