Your message dated Mon, 6 Dec 2021 09:22:26 +0100
with message-id
<caatjj0+tnpz-h2z8utvx-b7ia41opixaeinaqbprk4qfwwe...@mail.gmail.com>
and subject line Fixed in 7.5
has caused the Debian Bug report #931470,
regarding AppArmor denies sys_rawio capability, needed to use SCSI disks
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
931470: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931470
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package:libapparmor1
When trying to create VMs with disks on scsi apparmor will show
warnings in journal.
Relevant packages versions:
libapparmor1/testing,now 2.13.2-10 amd64
libvirt-daemon-system/testing,now 5.0.0-4 amd64
The apparmor warning line from journal is the following:
audit: type=1400 audit(1562337821.518:28): apparmor="DENIED"
operation="capable" profile="/usr/sbin/libvirtd"
pid=1611comm="libvirt_parthel" capability=17 capname="sys_rawio"
As I said, the above warning shows up when trying to run a VM with an scsi disk:
In order to reproduce the above warning run a VM with the following command:
virt-install --connect qemu:///system --name test --os-variant
fedora-unknown --memory 500 --vcpus 1 --wait -1 --noautoconsole
--noreboot --disk
path=/dev/sda1,device=disk,bus=virtio,readonly=off,shareable=off,cache=none,driver_name=qemu,driver_type=raw,io=native
--cdrom https://localhost:8000/novell.iso
Where /dev/sda1 is a partition on a scsi disk as you can see
root@unassigned-hostname:~# ls -la /dev/disk/by-id/ | grep sda
lrwxrwxrwx 1 root root 9 Jul 5 11:24 pci-0000:00:02.0-scsi-0:0:2:0
-> ../../sda
lrwxrwxrwx 1 root root 10 Jul 5 11:24
pci-0000:00:02.0-scsi-0:0:2:0-part1 -> ../../sda1
Expected behavior:
Since CAP_SYS_RAWIO is needed to perform various SCSI device commands
I would expect that the apparmor profile would be extended to allow
that capability.
Regards,
Katerina
--- End Message ---
--- Begin Message ---
fixed 931470 7.6.0-1
Hi,
I came across the same issue in Ubuntu [1] and realized that it was
fixed upstream by now.
The fix is [2] and part of v7.5.0
Since v7.6.0 is in Debian testing and unstable this can be considered
fixed by now I think.
[1]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1881969
[2]:
https://gitlab.com/libvirt/libvirt/-/commit/4f2811eb816ed1da215b86778dfcf483917666a1
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
--- End Message ---
