On Thu, Mar 30, 2017 at 03:00:06PM +0000, Frank Schreuder wrote: > Hello Guido, > > I have great news. I'm able to successfully live attach a disk to a running VM with a loaded apparmor profile. > > My setup: > Debian 8 > Kernel 4.9.11 > Libvirt 3.1.0 > Apparmor 2.10 from Debian backports > > With same software and apparmor 2.9 from the stable Debian repo it fails. So apparently 2.10 has upstream fixes/patches which solve the reload profile bug? Hope this new insight helps you find the commit and backport it to apparmor 2.9 stable? Thanks for reporting, I added a note to #805002. It's unlikely we'll have a backport of both the kernel changes and appamor for Jessie but we can make things work for stretch (which currently shows a different error I'll have to look into). Cheers, -- Guido > > Thanks, > Frank > > > Sent from my iPhone > > > On 24 Mar 2017, at 09:17, Guido Günther <agx@xxxxxxxxxxx> wrote: > > > >> On Thu, Mar 23, 2017 at 01:28:57PM +0100, Cedric Bosdonnat wrote: > >> Hello Frank, > >> > >> I'm currently investigating some apparmor-related bug with namespaces. This one > >> is surely related. I'll look into it when I'm done with the one I'm working on. > > > > Assuming you're running the Jessie Kernel its likely: > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002 > > > > To make sure it's the kernel and not libvirt have a look at: > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002#51 > > > > Cheers, > > -- Guido > > > >> > >> -- > >> Cedric > >> > >>> On Thu, 2017-03-23 at 12:07 +0000, Frank Schreuder wrote: > >>> Hello, > >>> > >>> I'm running libvirt 3.1.0 on a Debian 8 server. I installed apparmor and configured libvirt to use apparmor as > >>> security driver. > >>> After booting a VM, virsh dumpxml shows an apparmor seclabel. > >>> > >>> As soon as I try to attach a second disk to the VM, apparmor blocks this. > >>> > >>> virsh attach-device test-vps /tmp/virshXmlDefinition > >>> error: Failed to attach device from /tmp/virshXmlDefinition > >>> error: operation failed: Could not open '/mnt/images/disk2.raw': Permission denied > >>> > >>> Syslogs shows me the following: > >>> Mar 22 17:45:20 vps0 kernel: [1136647.318314] audit: type=1400 audit(1490201120.577:30): apparmor="DENIED" > >>> operation="open" profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859" name="/mnt/images/disk2.raw" pid=13453 > >>> comm="kvm" requested_mask="r" denied_mask="r" fsuid=996 ouid=33 > >>> Mar 22 17:45:20 vps0 kernel: [1136647.325155] audit: type=1400 audit(1490201120.577:31): apparmor="DENIED" > >>> operation="open" profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859" name="/mnt/images/disk2.raw" pid=13453 > >>> comm="kvm" requested_mask="rw" denied_mask="rw" fsuid=996 ouid=33 > >>> Mar 22 17:45:20 vps0 libvirtd[10282]: 2017-03-22 16:45:20.596+0000: 10283: error : qemuMonitorTextAddDrive:1968 : > >>> operation failed: Could not open '/mnt/images/disk2.raw': Permission denied > >>> > >>> In the VM specific apparmor file /etc/apparmor.d/libvirt/libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859.files I see: > >>> "/mnt/images/disk1.raw" rw, > >>> > >>> Which is my primary VM disk, I expected a virsh attach-device to append /mnt/images/disk2.raw to this file and > >>> reload/refresh the apparmor profile? > >>> > >>> I'm not able to attach a live disk to a running VM with apparmor. Am I missing something? Or is this a bug/missing > >>> feature in libvirt? > >>> > >>> Thanks, > >>> Frank > >>> -- > >>> libvir-list mailing list > >>> libvir-list@xxxxxxxxxx > >>> https://www.redhat.com/mailman/listinfo/libvir-list > >> > >> -- > >> libvir-list mailing list > >> libvir-list@xxxxxxxxxx > >> https://www.redhat.com/mailman/listinfo/libvir-list > >> -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
