touch-packages team mailing list archive

Thread
Date

[Bug 1511830] Re: apparmor denies VM startup when image is network mounted

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Serge Hallyn <1511830@xxxxxxxxxxxxxxxxxx>
Date: Mon, 02 Nov 2015 15:32:19 -0000
Reply-to: Bug 1511830 <1511830@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Thanks for reporting this bug.

Can you show the xml for the libvirt managed nfs storage and for the VM?

The virt-aa-helper policy has

  # needed for when disk is on a network filesystem
  network inet,

Which I suspect should prevent this from happening, so I will target
this at apparmor.


** Also affects: apparmor (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1511830

Title:
  apparmor denies VM startup when image is network mounted

Status in apparmor package in Ubuntu:
  New
Status in libvirt package in Ubuntu:
  New

Bug description:
  If I attempt to start a VM with one of its disk images on a libvirt
  managed NFS mount, it fails:

  Oct 30 15:30:56 athens kernel: [545232.917662] audit: type=1400
  audit(1446233456.718:81): apparmor="DENIED" operation="sendmsg"
  profile="/usr/lib/libvirt/virt-aa-helper" pid=13760 comm="virt-aa-
  helper" laddr=fd60:e0:a0f4:121::8 lport=757 faddr=fd60:e0:a0f4:121::4
  fport=2049 family="inet6" sock_type="stream" protocol=6

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1511830/+subscriptions