Ubuntu
libvirt package

apparmor_parser fails on certain paths in profile

Bug #432810 reported by Alexander Jones
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
High
Jamie Strandboge

Bug Description

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/engine.py", line 493, in run_domain
    vm.startup()
  File "/usr/share/virt-manager/virtManager/domain.py", line 558, in startup
    self.vm.create()
  File "/usr/lib/python2.6/dist-packages/libvirt.py", line 293, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: AppArmorGenSecurityLabel: cannot generate AppArmor profile 'libvirt-5539255a-03ec-319f-10af-79f8efbf7195'

I get this traceback trying to start a VM created in Jaunty, or when trying to create a new VM at the last stage when "installing".

Related branches

lp:ubuntu/karmic/libvirt
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Can you give the output of the following commands:

$ ls -lr /etc/apparmor.d
$ sudo apparmor_status

Changed in libvirt (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Incomplete
Revision history for this message
Alexander Jones (alex-weej) wrote :

alex@whoosh:~$ ls -lr /etc/apparmor.d
total 56
-rw-r--r-- 1 root root 708 2009-08-14 01:43 usr.sbin.tcpdump
-rw-r--r-- 1 root root 1006 2009-09-10 19:43 usr.sbin.libvirtd
-rw-r--r-- 1 root root 4050 2009-09-15 11:09 usr.sbin.cupsd
-rw-r--r-- 1 root root 531 2009-09-10 19:43 usr.bin.virt-aa-helper
-rw-r--r-- 1 root root 3752 2009-09-03 09:12 usr.bin.firefox-3.5
-rw-r--r-- 1 root root 1998 2009-09-03 19:34 usr.bin.evince
drwxr-xr-x 2 root root 4096 2009-09-19 18:57 tunables
-rw-r--r-- 1 root root 1856 2009-07-17 20:28 sbin.dhclient3
drwxr-xr-x 2 root root 4096 2009-09-19 20:11 libvirt
-rw-r--r-- 1 root root 967 2009-09-16 00:17 gdm-guest-session
drwxr-xr-x 2 root root 4096 2009-07-17 20:30 force-complain
drwxr-xr-x 2 root root 4096 2009-09-19 20:31 disable
drwxr-xr-x 2 root root 4096 2009-09-19 18:57 cache
drwxr-xr-x 2 root root 4096 2009-09-19 18:57 abstractions

alex@whoosh:~$ sudo apparmor_status
[sudo] password for alex:
apparmor module is loaded.
12 profiles are loaded.
12 profiles are in enforce mode.
   /usr/lib/connman/scripts/dhclient-script
   /usr/share/gdm/guest-session/Xsession
   /usr/bin/evince-previewer
   /usr/sbin/tcpdump
   /usr/lib/cups/backend/cups-pdf
   /usr/bin/evince-thumbnailer
   /usr/bin/evince
   /sbin/dhclient3
   /usr/bin/virt-aa-helper
   /usr/sbin/cupsd
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/sbin/libvirtd
0 profiles are in complain mode.
3 processes have profiles defined.
3 processes are in enforce mode :
   /sbin/dhclient3 (16140)
   /usr/sbin/libvirtd (13971)
   /usr/sbin/cupsd (2568)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Revision history for this message
Alexander Jones (alex-weej) wrote :
Download full text (4.7 KiB)

alex@whoosh:~$ ls -lR /etc/apparmor.d
/etc/apparmor.d:
total 56
drwxr-xr-x 2 root root 4096 2009-09-19 18:57 abstractions
drwxr-xr-x 2 root root 4096 2009-09-19 18:57 cache
drwxr-xr-x 2 root root 4096 2009-09-19 20:31 disable
drwxr-xr-x 2 root root 4096 2009-07-17 20:30 force-complain
-rw-r--r-- 1 root root 967 2009-09-16 00:17 gdm-guest-session
drwxr-xr-x 2 root root 4096 2009-09-19 20:11 libvirt
-rw-r--r-- 1 root root 1856 2009-07-17 20:28 sbin.dhclient3
drwxr-xr-x 2 root root 4096 2009-09-19 18:57 tunables
-rw-r--r-- 1 root root 1998 2009-09-03 19:34 usr.bin.evince
-rw-r--r-- 1 root root 3752 2009-09-03 09:12 usr.bin.firefox-3.5
-rw-r--r-- 1 root root 531 2009-09-10 19:43 usr.bin.virt-aa-helper
-rw-r--r-- 1 root root 4050 2009-09-15 11:09 usr.sbin.cupsd
-rw-r--r-- 1 root root 1006 2009-09-10 19:43 usr.sbin.libvirtd
-rw-r--r-- 1 root root 708 2009-08-14 01:43 usr.sbin.tcpdump

/etc/apparmor.d/abstractions:
total 212
-rw-r--r-- 1 root root 252 2009-09-10 03:49 aspell
-rw-r--r-- 1 root root 1182 2009-09-10 03:49 audio
-rw-r--r-- 1 root root 1339 2009-09-10 03:49 authentication
-rw-r--r-- 1 root root 4027 2009-09-10 03:49 base
-rw-r--r-- 1 root root 1565 2009-09-10 03:49 bash
-rw-r--r-- 1 root root 853 2009-09-10 03:49 consoles
-rw-r--r-- 1 root root 210 2009-09-10 03:49 cups-client
-rw-r--r-- 1 root root 143 2009-09-10 03:49 dbus
-rw-r--r-- 1 root root 2345 2009-09-03 19:34 evince
-rw-r--r-- 1 root root 1376 2009-09-10 03:49 fonts
-rw-r--r-- 1 root root 622 2009-09-10 03:49 freedesktop.org
-rw-r--r-- 1 root root 2117 2009-09-10 03:49 gnome
-rw-r--r-- 1 root root 278 2009-09-10 03:49 gnupg
-rw-r--r-- 1 root root 1457 2009-09-10 03:49 kde
-rw-r--r-- 1 root root 919 2009-09-10 03:49 kerberosclient
-rw-r--r-- 1 root root 164 2009-09-10 03:49 launchpad-integration
-rw-r--r-- 1 root root 2170 2009-09-18 16:05 libvirt-qemu
-rw-r--r-- 1 root root 141 2009-09-10 03:49 likewise
-rw-r--r-- 1 root root 483 2009-09-10 03:49 mdns
-rw-r--r-- 1 root root 530 2009-09-10 03:49 mysql
-rw-r--r-- 1 root root 2445 2009-09-10 03:49 nameservice
-rw-r--r-- 1 root root 573 2009-09-10 03:49 nis
-rw-r--r-- 1 root root 220 2009-09-10 03:49 nvidia
-rw-r--r-- 1 root root 93 2009-09-10 03:49 orbit2
-rw-r--r-- 1 root root 750 2009-09-10 03:49 perl
-rw-r--r-- 1 root root 866 2009-09-10 03:49 php5
-rw-r--r-- 1 root root 734 2009-09-10 03:49 private-files
-rw-r--r-- 1 root root 383 2009-09-10 03:49 private-files-strict
-rw-r--r-- 1 root root 1123 2009-09-10 03:49 python
-rw-r--r-- 1 root root 973 2009-09-10 03:49 ruby
-rw-r--r-- 1 root root 164 2009-09-10 03:49 samba
-rw-r--r-- 1 root root 98 2009-09-10 03:49 smbpass
-rw-r--r-- 1 root root 493 2009-09-10 03:49 ssl_certs
-rw-r--r-- 1 root root 274 2009-09-10 03:49 ssl_keys
-rw-r--r-- 1 root root 1704 2009-09-10 03:49 svn-repositories
-rw-r--r-- 1 root root 550 2009-09-10 03:49 ubuntu-browsers
-rw-r--r-- 1 root root 341 2009-09-10 03:49 ubuntu-console-browsers
-rw-r--r-- 1 root root 331 2009-09-10 03:49 ubuntu-console-email
-rw-r--r-- 1 root root 393 2009-09-10 03:49 ubuntu-email
-rw-r--r-- 1 root root 159 2009-09-10 03:49 ubuntu-gnome-terminal
-rw-r--r-- 1 root root 318 2009-09-10 03:49 ubuntu-k...

Read more...

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Can you add the xml file for the VM in question? Eg:

$ virsh dumpxml <vm name> > /tmp/<vm name>.xml

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This was caused due to a space in the name of the disk and virt-aa-helper not handling it properly. The way virt-aa-helper handles these files is changing, so this will not be an issue after the next upload.

Changed in libvirt (Ubuntu):
importance: Undecided → High
status: Incomplete → Triaged
Jamie Strandboge (jdstrand)
summary: - [karmic] Can't start qemu system VMs via virt-manager due to AppArmor
- error
+ virt-aa-helper fails on certain paths
Jamie Strandboge (jdstrand)
Changed in libvirt (Ubuntu):
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote : Re: virt-aa-helper fails on certain paths

This bug was fixed in the package libvirt - 0.7.0-1ubuntu8

---------------
libvirt (0.7.0-1ubuntu8) karmic; urgency=low

  * debian/patches/9091-apparmor.patch: sync with upstream for maintenance,
    licensing compliance with upstream and bug fixes:
    - handle files with spaces in the name (LP: #432810)
    - add serial, console, kernel and initrd support (LP: #432581)
    - allow read only access to /boot, /vmlinuz and /initrd.img
    - allow access to character devices (eg USB devices)
    - have virt-aa-helper accept XML on stdin, which allows for adding
      other devices in the future and helps ensure we always have the most
      up to date definition
    - update profile on attach and detach of devices (LP: #435527)
    - add --dryrun option to virt-aa-helper, and greatly improve the
      virt-aa-helper-test script
  * revert workaround for LP: #431090 now that kernel, initrd, et al is
    properly supported
  * debian/apparmor/usr.sbin.libvirtd: add various capabilities
    recommended by upstream to prevent potential regressions

 -- Jamie Strandboge <email address hidden> Tue, 22 Sep 2009 20:04:58 -0500

Changed in libvirt (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This turned out to be not the libvirt security driver and not virt-aa-helper, but instead apparmor_parser not handling spaces in paths in the profile. Fix is to double-quote the dynamic paths (fix included in 0.7.0-1ubuntu8).

summary: - virt-aa-helper fails on certain paths
+ apparmor_parser fails on certain paths in profile
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.