1280202 – AppArmor does not allow attaching a disk to a running VM.

Bug 1280202 - AppArmor does not allow attaching a disk to a running VM.

Summary: AppArmor does not allow attaching a disk to a running VM.

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	Virtualization Tools
Classification:	Community
Component:	libvirt
Sub Component:
Version:	unspecified
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Libvirt Maintainers
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-11-11 07:51 UTC by crengo
Modified:	2016-04-10 22:43 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-04-10 22:43:10 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description crengo 2015-11-11 07:51:52 UTC

Description of problem:
"virsh attach-disk" fails with this error:
error : qemuMonitorJSONCheckError:382 : internal error: unable to execute QEMU command 'device_add': Property 'virtio-blk-device.drive' can't find value 'drive-virtio-disk22'

/var/log/kern.log relevant content:
audit: type=1400 audit(1447083242.001:2648): apparmor="STATUS" operation="profile_replace" name="libvirt-1528769e-38d7-af29-2398-00005a272ccf" pid=18348 comm="apparmor_parser"
audit: type=1400 audit(1447083242.041:2649): apparmor="STATUS" operation="profile_replace" name="qemu_bridge_helper" pid=18348 comm="apparmor_parser"
audit: type=1400 audit(1447083242.041:2650): apparmor="DENIED" operation="open" profile="libvirt-1528769e-38d7-af29-2398-00005a272ccf" name="/mnt/spool999/storage1/newdisk.raw" pid=16391 comm="kvm" requested_mask="r" denied_mask="r" fsuid=997 ouid=33
audit: type=1400 audit(1447083242.041:2651): apparmor="DENIED" operation="open" profile="libvirt-1528769e-38d7-af29-2398-00005a272ccf" name="/mnt/spool999/storage1/newdisk.raw" pid=16391 comm="kvm" requested_mask="r" denied_mask="r" fsuid=997 ouid=33
audit: type=1400 audit(1447083242.041:2652): apparmor="DENIED" operation="open" profile="libvirt-1528769e-38d7-af29-2398-00005a272ccf" name="/mnt/spool999/storage1/newdisk.raw" pid=16391 comm="kvm" requested_mask="rw" denied_mask="rw" fsuid=997 ouid=33
audit: type=1400 audit(1447083242.661:2653): apparmor="STATUS" operation="profile_replace" name="libvirt-1528769e-38d7-af29-2398-00005a272ccf" pid=18383 comm="apparmor_parser"
audit: type=1400 audit(1447083242.701:2654): apparmor="STATUS" operation="profile_replace" name="qemu_bridge_helper" pid=18383 comm="apparmor_parser"

Version-Release number of selected component (if applicable):
libvirt v1.2.21

How reproducible:
100%

Steps to Reproduce:
1. Run libvirt daemon with AppArmor support, run AppArmor with libvirt profile loaded.
2. # virsh attach-disk <domain> <disk-image> <vdX>

Actual results:
as steps

Expected results:
command should run successfully and XML definition of VM should change accordingly.

Additional info:
libvirt v1.2.21 compiled with AppArmor support and installed on Debian 7.

Comment 1 Cole Robinson 2016-04-10 22:43:10 UTC

I suggest to file a bug with debian in this case, most devs that watch this tracker are on RH distros that don't have apparmor

Note You need to log in before you can comment on or make changes to this bug.