On Thu, Oct 29, 2015 at 05:35:23PM +0100, Cedric Bosdonnat wrote: > Hi all, > > I'm seeing weird apparmor errors when running virt-sandbox here. Here are the > log entries: > > apparmor="ALLOWED" operation="mknod" parent=1 > profile="libvirt-634ed189-cca0-4126-830c-4e4a76846b25" > name="/var/lib/libvirt/qemu/sandbox.monitor" pid=2251 comm="qemu-system-x86" > requested_mask="c" denied_mask="c" fsuid=493 ouid=493 > apparmor="ALLOWED" operation="open" parent=1 > profile="libvirt-634ed189-cca0-4126-830c-4e4a76846b25" name="/dev/ptmx" > pid=2251 comm="qemu-system-x86" requested_mask="w" denied_mask="w" fsuid=493 > ouid=0 > apparmor="ALLOWED" operation="open" parent=1 > profile="libvirt-634ed189-cca0-4126-830c-4e4a76846b25" name="/dev/pts/2" > pid=2251 comm="qemu-system-x86" requested_mask="w" denied_mask="w" fsuid=493 > ouid=493 > apparmor="ALLOWED" operation="file_perm" parent=1 > profile="libvirt-634ed189-cca0-4126-830c-4e4a76846b25" > name="/var/log/libvirt/qemu/sandbox.log" pid=2251 comm="qemu-system-x86" > requested_mask="w" denied_mask="w" fsuid=493 ouid=0 > apparmor="ALLOWED" operation="open" parent=1 > profile="libvirt-634ed189-cca0-4126-830c-4e4a76846b25" name="/dev/ptmx" > pid=2251 comm="qemu-system-x86" requested_mask="w" denied_mask="w" fsuid=493 > ouid=0 > apparmor="ALLOWED" operation="open" parent=1 > profile="libvirt-634ed189-cca0-4126-830c-4e4a76846b25" name="/dev/pts/3" > pid=2251 comm="qemu-system-x86" requested_mask="w" denied_mask="w" fsuid=493 > ouid=493 > apparmor="ALLOWED" operation="file_perm" parent=1 > profile="libvirt-634ed189-cca0-4126-830c-4e4a76846b25" > name="/var/log/libvirt/qemu/sandbox.log" pid=2251 comm="qemu-system-x86" > requested_mask="w" denied_mask="w" fsuid=493 ouid=0 > apparmor="ALLOWED" operation="open" parent=1 > profile="libvirt-634ed189-cca0-4126-830c-4e4a76846b25" name="/dev/kvm" > pid=2251 comm="qemu-system-x86" requested_mask="w" denied_mask="w" fsuid=493 > ouid=0 > > > The weird thing is that /dev/kvm, /var/log/libvirt/qemu/sandbox.log > and /var/lib/libvirt/qemu/sandbox.monitor already have rules. > > And I'm wondering if it's normal to have write access to /dev/pts/* > and /dev/ptmx.
NB in containers we have two PTYs involved. The libvirt_lxc process opens one pty in the host context and that is used to communicate between virsh console & libvirt_lxc. The libvirt_lxc process opens one pty in the guest context and that is used to commnuicate between libvirt_lxc and the container master console. Libvirt_lxc forwards data between the two PTYs. So, yes, it is normal for libvirt_lxc to access /dev/ptmx to create a new master PTY and to read/write to /dev/pts/NN associated with the file descriptor retrieved from /dev/ptmx. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
