Apparmor denies qemu access to a number of important directories.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
High
|
Dave Chiluk | ||
Trusty |
Fix Released
|
High
|
Dave Chiluk | ||
Utopic |
Fix Released
|
High
|
Dave Chiluk |
Bug Description
[Impact]
* Log files become overloaded with apparmor denials when launching large numbers of qemu virtual machines such as the case in an openstack cloud.
[Test Case]
* Launch a qemu instance using libvirt.
* See logged apparmor error in /var/log/syslog
[Regression Potential]
* Current defaults are to deny access to these files, but users may have modified apparmor to permit access to silence these warnings. Since we don't want to break these users and permitting access to /tmp and /var/tmp is not considered to be a great increase in security risk we will proceed with permissive for the SRU, and restrictive policies going forward for development.
_______
Apparmor denise libvirt access to a number of important directories.
syslog.4:Dec 12 17:18:08 nuc2 kernel: [54334.001494] type=1400 audit(141840468
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.537222] type=1400 audit(141840468
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.745412] type=1400 audit(141840468
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.808978] type=1400 audit(141840468
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.858862] type=1400 audit(141840468
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.909608] type=1400 audit(141840468
syslog.4:Dec 12 17:18:09 nuc2 kernel: [54334.976979] type=1400 audit(141840468
syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.978163] type=1400 audit(141840872
syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979670] type=1400 audit(141840872
syslog.4:Dec 12 18:25:25 nuc2 kernel: [58368.979680] type=1400 audit(141840872
In this case the machine was installed using juju and maas. Specific charms in play on this machine are ceph, and nova-compute.
I'm not sure if the juju charms need to be updated or if the libvirt template needs to be updated or something else altogether.
It's important to not that without ceph apparmor still denies access to /tmp and /var/tmp
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: libvirt-bin 1.2.2-0ubuntu13.1.7
ProcVersionSign
Uname: Linux 3.13.0-35-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.6
Architecture: amd64
Date: Wed Dec 17 21:15:20 2014
KernLog:
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.
modified.
modified.
mtime.conffile.
mtime.conffile.
tags: | added: cts |
Changed in libvirt (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in libvirt (Ubuntu Utopic): | |
importance: | Undecided → High |
description: | updated |
description: | updated |
description: | updated |
tags: |
added: verification-done-trusty verification-needed-utopic removed: verification-needed |
tags: |
added: verification-needed removed: verification-needed-utopic |
tags: | added: verification-done-utopic |
tags: |
added: verification-done removed: verification-needed |
Changed in libvirt (Ubuntu Trusty): | |
assignee: | nobody → Dave Chiluk (chiluk) |
Changed in libvirt (Ubuntu Utopic): | |
assignee: | nobody → Dave Chiluk (chiluk) |
Changed in libvirt (Ubuntu): | |
assignee: | nobody → Dave Chiluk (chiluk) |
Changed in ceph (Juju Charms Collection): | |
status: | New → Incomplete |
status: | Incomplete → Invalid |
no longer affects: | ceph (Juju Charms Collection) |
Changed in libvirt (Ubuntu Trusty): | |
status: | Confirmed → Fix Released |
Changed in libvirt (Ubuntu Utopic): | |
status: | Confirmed → Fix Released |
We should not allow access to /tmp and /var/tmp as that breaks application isolation. As for /var/lib/ charm/ceph/ ceph.conf, this sounds like something virt-aa-helper should be adding. Can you attach the domain xml for the affected VM?