https://bugzilla.novell.com/show_bug.cgi?id=764388 https://bugzilla.novell.com/show_bug.cgi?id=764388#c0 Summary: apparmor seems to partly break libvirt networking with KVM Classification: openSUSE Product: openSUSE 12.2 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: AppArmor AssignedTo: suse-beta@cboltz.de ReportedBy: seife@novell.slipkontur.de QAContact: qa-bugs@suse.de CC: jfehlig@suse.com Found By: Third Party Developer/Partner Blocker: --- This is on current Factory, always updated. When running libvirt in a standard configuration with the guests NATed to the external interface: susi:~ # cat /etc/libvirt/qemu/networks/default.xml <network> <name>default</name> <uuid>8fcacdd7-1bbd-71f6-036b-fa3e1ec28c4d</uuid> <forward mode='nat'/> <bridge name='virbr0' stp='on' delay='0' /> <mac address='52:54:00:A2:7A:0B'/> <ip address='192.168.122.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.122.2' end='192.168.122.254' /> </dhcp> </ip> </network> On startup of libvirtd, I find the following in /var/log/audit.log: type=AVC msg=audit(1338015911.940:209): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/libvirtd" pid=22704 comm="libvirtd" capability=29 capname="audit_write" type=AVC msg=audit(1338015912.099:210): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/libvirtd" pid=22704 comm="libvirtd" capability=29 capname="audit_write" When starting a VM with "virsh start", I get the following in /var/log/messages: May 28 14:54:44 susi libvirtd[22699]: 2012-05-28 12:54:44.891+0000: 22700: warning : virAuditSend:132 : Failed to send audit message virt=kvm vm="sles11-clone" uuid=48be6e64-abfb-ccb6-0aa1-9cda2ed71fe7 vm-ctx=? img-ctx=?: Die Operation ist nicht erlaubt May 28 14:54:44 susi libvirtd[22699]: 2012-05-28 12:54:44.974+0000: 22700: warning : virAuditSend:132 : Failed to send audit message virt=kvm resrc=cgroup reason=deny vm="sles11-clone" uuid=48be6e64-abfb-ccb6-0aa1-9cda2ed71fe7 cgroup="/sys/fs/cgroup/devices/libvirt/qemu/sles11-clone/" class=all: Die Operation ist nicht erlaubt ... a few more cgroup audit failures, then ... May 28 14:54:45 susi libvirtd[22699]: 2012-05-28 12:54:44.979+0000: 22700: warning : virAuditSend:132 : Failed to send audit message virt=kvm resrc=net reason=open vm="sles11-clone" uuid=48be6e64-abfb-ccb6-0aa1-9cda2ed71fe7 net=52:54:00:0D:10:5C path="/dev/net/tun" rdev=0A:C8: Die Operation ist nicht erlaubt May 28 14:54:45 susi libvirtd[22699]: 2012-05-28 12:54:44.979+0000: 22700: warning : virAuditSend:132 : Failed to send audit message virt=kvm resrc=net reason=open vm="sles11-clone" uuid=48be6e64-abfb-ccb6-0aa1-9cda2ed71fe7 net=52:54:00:0D:10:5C path="/dev/vhost-net" rdev=0A:EE: Die Operation ist nicht erlaubt May 28 14:54:45 susi libvirtd[22699]: 2012-05-28 12:54:45.212+0000: 22700: warning : virAuditSend:132 : Failed to send audit message virt=kvm resrc=disk reason=start vm="sles11-clone" uuid=48be6e64-abfb-ccb6-0aa1-9cda2ed71fe7 old-disk="?" new-disk="/local/libvirt-images/sles11sp1-clone/disk0.raw": Die Operation ist nicht erlaubt May 28 14:54:45 susi libvirtd[22699]: 2012-05-28 12:54:45.212+0000: 22700: warning : virAuditSend:132 : Failed to send audit message virt=kvm resrc=disk reason=start vm="sles11-clone" uuid=48be6e64-abfb-ccb6-0aa1-9cda2ed71fe7 old-disk="?" new-disk="/space/iso/SLES11/SLES-11-SP1-DVD-x86_64-GM-DVD1.iso": Die Operation ist nicht erlaubt May 28 14:54:45 susi libvirtd[22699]: 2012-05-28 12:54:45.212+0000: 22700: warning : virAuditSend:132 : Failed to send audit message virt=kvm resrc=net reason=start vm="sles11-clone" uuid=48be6e64-abfb-ccb6-0aa1-9cda2ed71fe7 old-net=? new-net=52:54:00:0D:10:5C: Die Operation ist nicht erlaubt May 28 14:54:45 susi libvirtd[22699]: 2012-05-28 12:54:45.212+0000: 22700: warning : virAuditSend:132 : Failed to send audit message virt=kvm resrc=mem reason=start vm="sles11-clone" uuid=48be6e64-abfb-ccb6-0aa1-9cda2ed71fe7 old-mem=0 new-mem=524288: Die Operation ist nicht erlaubt May 28 14:54:45 susi libvirtd[22699]: 2012-05-28 12:54:45.212+0000: 22700: warning : virAuditSend:132 : Failed to send audit message virt=kvm resrc=vcpu reason=start vm="sles11-clone" uuid=48be6e64-abfb-ccb6-0aa1-9cda2ed71fe7 old-vcpu=0 new-vcpu=1: Die Operation ist nicht erlaubt May 28 14:54:45 susi libvirtd[22699]: 2012-05-28 12:54:45.212+0000: 22700: warning : virAuditSend:132 : Failed to send audit message virt=kvm op=start reason=booted vm="sles11-clone" uuid=48be6e64-abfb-ccb6-0aa1-9cda2ed71fe7 vm-pid=21432: Die Operation ist nicht erlaubt If I do 'rcapparmor stop' and then start the VM again, the "Failed to send audit message" no longer apppears. However, the VM guests still cannot reach any IP outside of the KVM host. Only after a "virsh net-destroy default; virsh net-start default", VMs can reach the outside world again. I already checked for .rpmorig/.rpmsave files in /etc/apparmor*, but nothing there. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.