Bug 1280202 - AppArmor does not allow attaching a disk to a running VM.
AppArmor does not allow attaching a disk to a running VM.
Status: CLOSED DEFERRED
Product: Virtualization Tools
Classification: Community
Component: libvirt (Show other bugs)
unspecified
x86_64 Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Libvirt Maintainers
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-11 02:51 EST by crengo
Modified: 2016-04-10 18:43 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-04-10 18:43:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description crengo 2015-11-11 02:51:52 EST
Description of problem:
"virsh attach-disk" fails with this error:
error : qemuMonitorJSONCheckError:382 : internal error: unable to execute QEMU command 'device_add': Property 'virtio-blk-device.drive' can't find value 'drive-virtio-disk22'

/var/log/kern.log relevant content:
audit: type=1400 audit(1447083242.001:2648): apparmor="STATUS" operation="profile_replace" name="libvirt-1528769e-38d7-af29-2398-00005a272ccf" pid=18348 comm="apparmor_parser"
audit: type=1400 audit(1447083242.041:2649): apparmor="STATUS" operation="profile_replace" name="qemu_bridge_helper" pid=18348 comm="apparmor_parser"
audit: type=1400 audit(1447083242.041:2650): apparmor="DENIED" operation="open" profile="libvirt-1528769e-38d7-af29-2398-00005a272ccf" name="/mnt/spool999/storage1/newdisk.raw" pid=16391 comm="kvm" requested_mask="r" denied_mask="r" fsuid=997 ouid=33
audit: type=1400 audit(1447083242.041:2651): apparmor="DENIED" operation="open" profile="libvirt-1528769e-38d7-af29-2398-00005a272ccf" name="/mnt/spool999/storage1/newdisk.raw" pid=16391 comm="kvm" requested_mask="r" denied_mask="r" fsuid=997 ouid=33
audit: type=1400 audit(1447083242.041:2652): apparmor="DENIED" operation="open" profile="libvirt-1528769e-38d7-af29-2398-00005a272ccf" name="/mnt/spool999/storage1/newdisk.raw" pid=16391 comm="kvm" requested_mask="rw" denied_mask="rw" fsuid=997 ouid=33
audit: type=1400 audit(1447083242.661:2653): apparmor="STATUS" operation="profile_replace" name="libvirt-1528769e-38d7-af29-2398-00005a272ccf" pid=18383 comm="apparmor_parser"
audit: type=1400 audit(1447083242.701:2654): apparmor="STATUS" operation="profile_replace" name="qemu_bridge_helper" pid=18383 comm="apparmor_parser"

Version-Release number of selected component (if applicable):
libvirt v1.2.21

How reproducible:
100%

Steps to Reproduce:
1. Run libvirt daemon with AppArmor support, run AppArmor with libvirt profile loaded.
2. # virsh attach-disk <domain> <disk-image> <vdX>

Actual results:
as steps

Expected results:
command should run successfully and XML definition of VM should change accordingly.

Additional info:
libvirt v1.2.21 compiled with AppArmor support and installed on Debian 7.
Comment 1 Cole Robinson 2016-04-10 18:43:10 EDT
I suggest to file a bug with debian in this case, most devs that watch this tracker are on RH distros that don't have apparmor

Note You need to log in before you can comment on or make changes to this bug.