Cedric Bosdonnat wrote:
Hi Michael,
Thanks for following up on that bug!
On Sat, 2017-04-01 at 20:58 +0200, Michael Ströder wrote:
Cedric Bosdonnat wrote:
I'ld like to fix this, however I can't manage to reproduce it so far. Could you provide the data Christian asked for or get me some detailed steps to reproduce?
Hmm, I've re-installed and re-enabled apparmor and this problem does not occur anymore. In the meantime there were some kernel updates. Maybe one of those updates contains a relevant fix?
That I couldn't say. If you happen to reproduce again, don't hesitate to file a bug with the DENIED messages.
Hmmpf! It seems I've not thoroughly tested last time: # virsh start ae-dir-deb-p1 error: Failed to start domain ae-dir-deb-p1 error: internal error: child reported: Kernel does not provide mount namespace: Permission denied Here's the DENIED line (see more lines below): type=AVC msg=audit(1491411990.547:300): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/libvirtd" name="" pid=5413 comm="libvirtd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Ciao, Michael. ------------------------------ snip ------------------------------ type=VIRT_MACHINE_ID msg=audit(1491411990.375:294): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 vm-ctx=? img-ctx=? model=apparmor exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=ANOM_PROMISCUOUS msg=audit(1491411990.451:295): dev=vnet0 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 type=VIRT_RESOURCE msg=audit(1491411990.515:296): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=net reason=open vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 net=52:54:00:23:42:31 path="/dev/net/tun" rdev=0A:C8 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=VIRT_RESOURCE msg=audit(1491411990.547:297): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=cgroup reason=deny vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 cgroup="/sys/fs/cgroup/devices/machine.slice/machine-qemu\x2d9\x2dae\x2ddir\x2ddeb\x2dp1.scope/" class=all exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=VIRT_RESOURCE msg=audit(1491411990.547:298): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=cgroup reason=allow vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 cgroup="/sys/fs/cgroup/devices/machine.slice/machine-qemu\x2d9\x2dae\x2ddir\x2ddeb\x2dp1.scope/" class=path path="/var/lib/libvirt/images/ae-dir-deb-p1.qcow2" rdev=? acl=rw exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=VIRT_RESOURCE msg=audit(1491411990.547:299): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=cgroup reason=allow vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 cgroup="/sys/fs/cgroup/devices/machine.slice/machine-qemu\x2d9\x2dae\x2ddir\x2ddeb\x2dp1.scope/" class=major category=pty maj=88 acl=rw exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1491411990.547:300): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/libvirtd" name="" pid=5413 comm="libvirtd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=ANOM_PROMISCUOUS msg=audit(1491411990.571:301): dev=vnet0 prom=0 old_prom=256 auid=4294967295 uid=395 gid=479 ses=4294967295 type=VIRT_RESOURCE msg=audit(1491411990.759:302): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=disk reason=start vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 old-disk="?" new-disk="/var/lib/libvirt/images/ae-dir-deb-p1.qcow2" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=VIRT_RESOURCE msg=audit(1491411990.759:303): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=net reason=start vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 old-net="?" new-net="52:54:00:23:42:31" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=VIRT_RESOURCE msg=audit(1491411990.759:304): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=dev reason=start vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 bus=usb device=555342207265646972646576 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=VIRT_RESOURCE msg=audit(1491411990.759:305): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=dev reason=start vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 bus=usb device=555342207265646972646576 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=VIRT_RESOURCE msg=audit(1491411990.759:306): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=rng reason=start vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 old-rng="?" new-rng="/dev/random" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=VIRT_RESOURCE msg=audit(1491411990.759:307): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=mem reason=start vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 old-mem=0 new-mem=524288 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=VIRT_RESOURCE msg=audit(1491411990.759:308): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=vcpu reason=start vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 old-vcpu=0 new-vcpu=1 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=VIRT_CONTROL msg=audit(1491411990.759:309): pid=1565 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm op=start reason=booted vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 vm-pid=-1 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=failed'