Package: libvirt-daemon-system Version: 1.2.9-9 Severity: normal File: /etc/apparmor.d/libvirt/TEMPLATE.qemu Tags: patch
On attempting to create a new virtual machine with KVM: May 23 23:26:39 aqua kernel: [ 318.993668] audit: type=1400 audit(1432423599.343:63): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/libnl-3/classid" pid=2499 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 May 23 23:26:39 aqua kernel: [ 318.995946] audit: type=1400 audit(1432423599.343:64): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/dm-7" pid=2499 comm="virt- aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 May 23 23:26:39 aqua libvirtd[1130]: internal error: cannot load AppArmor profile 'libvirt-68bf0174-32b3-498e-b55d-80fdc2b5fee9' This can be solved by applying the attached patch to /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper -- System Information: Debian Release: 8.0 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libvirt-daemon-system depends on: ii adduser 3.113+nmu3 ii gettext-base 0.19.3-2 ii init-system-helpers 1.22 ii libapparmor1 2.9.0-3 ii libaudit1 1:2.4-1+b1 ii libavahi-client3 0.6.31-5 ii libavahi-common3 0.6.31-5 ii libblkid1 2.25.2-6 ii libc6 2.19-18 ii libcap-ng0 0.7.4-2 ii libdbus-1-3 1.8.16-1 ii libdevmapper1.02.1 2:1.02.90-2.2 ii libgnutls-deb0-28 3.3.8-6 ii libnl-3-200 3.2.24-2 ii libnl-route-3-200 3.2.24-2 ii libnuma1 2.0.10-1 ii librados2 0.80.7-2 ii librbd1 0.80.7-2 ii libsasl2-2 2.1.26.dfsg1-13 ii libselinux1 2.3-2 ii libssh2-1 1.4.3-4.1 ii libsystemd0 215-17 ii libvirt-clients 1.2.9-9 ii libvirt-daemon 1.2.9-9 ii libvirt0 1.2.9-9 ii libxml2 2.9.1+dfsg1-5 ii libyajl2 2.1.0-2 ii logrotate 3.8.7-1+b1 ii policykit-1 0.105-8 Versions of packages libvirt-daemon-system recommends: ii bridge-utils 1.5-9 ii dmidecode 2.12-3 ii dnsmasq-base 2.72-3+deb8u1 ii ebtables 2.0.10.4-3 ii iproute2 3.16.0-2 ii iptables 1.4.21-2+b1 ii parted 3.2-7 ii pm-utils 1.4.1-15 Versions of packages libvirt-daemon-system suggests: ii apparmor 2.9.0-3 pn auditd <none> pn radvd <none> ii systemd 215-17 pn systemtap <none>
--- usr.lib.libvirt.virt-aa-helper 2015-05-23 23:43:44.751750819 +0000 +++ /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper 2015-05-24 00:03:13.039766331 +0000 @@ -1,7 +1,7 @@ # Last Modified: Mon Apr 5 15:10:27 2010 #include <tunables/global> -/usr/lib/libvirt/virt-aa-helper { +/usr/lib/libvirt/virt-aa-helper flags=(complain) { #include <abstractions/base> # needed for searching directories @@ -25,6 +25,7 @@ /etc/apparmor.d/libvirt/* r, /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + /etc/libnl-3/classid r, # for backingstore -- allow access to non-hidden files in @{HOME} as well # as storage pools @@ -45,4 +46,5 @@ /**.vmdk r, /**.[iI][sS][oO] r, /**/disk{,.*} r, + /dev/dm* r, }