[Bug 545302] Re: allow seabios in libvirt apparmor
What Ubuntu release and libvirt version are you using? The apparmor libvirt-qemu file shipped with maverick (which is where qemu 0.12.5 is shipped) has: /usr/share/vgabios/** r, /usr/share/seabios/** r, on lines 67 and 68. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/545302 Title: allow seabios in libvirt apparmor -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 545302] Re: allow seabios in libvirt apparmor
On 23 mrt 2011 the next happend: It is in qemu-kvm: 0.12.5+noroms-0ubuntu7.1 /usr/share/qemu/@bios.bin is symlinked to /usr/share/seabios/bios.bin Using seabios version 0.6.0-0ubuntu1 Log in /var/log/libvirt/qemu/ give me: LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin HOME=/home/user USER=root LOGNAME=root /usr/bin/kvm -S -M pc-0.12 -cpu qemu32 -m 256 -smp 1 -name a -uuid 6e83fecc-97a9-5118-525a-43d5af0b58b7 -monitor unix:/var/run/libvirt/qemu/a.monitor,server,nowait -boot c -drive file=/home/user/Bureaublad/Cloud/test/1.img,if=ide,index=0,boot=on -net none -serial none -parallel none -usb -vga cirrus qemu: could not load PC BIOS 'bios.bin' In /var/log/syslog: Mar 23 18:42:31 node kernel: [10186.888201] type=1400 audit(1300902151.431:36): apparmor=STATUS operation=profile_load name=libvirt-6e83fecc-97a9-5118-525a-43d5af0b58b7 pid=24558 comm=apparmor_parser Mar 23 18:42:31 node kernel: [10187.015990] type=1400 audit(1300902151.561:37): apparmor=DENIED operation=open parent=1 profile=libvirt-6e83fecc-97a9-5118-525a-43d5af0b58b7 name=/usr/share/seabios/bios.bin pid=24562 comm=kvm requested_mask=r denied_mask=r fsuid=0 ouid=0 Mar 23 18:43:01 node libvirtd: 18:43:01.488: error : qemudOpenMonitorUnix:934 : monitor socket did not show up.: Connection refused Mar 23 18:43:01 node kernel: [10217.292118] type=1400 audit(1300902181.841:38): apparmor=STATUS operation=profile_remove name=libvirt-6e83fecc-97a9-5118-525a-43d5af0b58b7 pid=24626 comm=apparmor_parser -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/545302 Title: allow seabios in libvirt apparmor -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 545302] Re: allow seabios in libvirt apparmor
In /etc/apparmor.d/abstractions: Using libvirt-qemu and add /usr/share/seabios/** r, on row 59 (after /usr/share/vgabios/** r,) Restart apparmor and virsh! In /var/log/syslog: With /usr/share/seabios/** r, in /etc/appamor.d/abstractions/libvirt- qemu: Mar 23 19:36:24 node kernel: [13419.727042] type=1400 audit(1300905384.271:76): apparmor=STATUS operation=profile_load name=libvirt-5872b474-ad53-8708-db86-928a9d6655b6 pid=31215 comm=apparmor_parser Mar 23 19:36:24 node kernel: [13419.834767] type=1400 audit(1300905384.381:77): apparmor=DENIED operation=open parent=1 profile=libvirt-5872b474-ad53-8708-db86-928a9d6655b6 name=/dev/fb0 pid=31218 comm=kvm requested_mask=rw denied_mask=rw fsuid=0 ouid=0 Mar 23 19:36:54 node libvirtd: 19:36:54.326: error : qemudOpenMonitorUnix:934 : monitor socket did not show up.: Connection refused Mar 23 19:36:54 node kernel: [13450.036528] type=1400 audit(1300905414.581:78): apparmor=STATUS operation=profile_remove name=libvirt-5872b474-ad53-8708-db86-928a9d6655b6 pid=31294 comm=apparmor_parser Ubuntu default: Mar 23 19:39:14 node kernel: [13589.524010] type=1400 audit(1300905554.071:94): apparmor=STATUS operation=profile_load name=libvirt-5872b474-ad53-8708-db86-928a9d6655b6 pid=31662 comm=apparmor_parser Mar 23 19:39:14 node kernel: [13589.629753] type=1400 audit(1300905554.171:95): apparmor=DENIED operation=open parent=1 profile=libvirt-5872b474-ad53-8708-db86-928a9d6655b6 name=/usr/share/seabios/bios.bin pid=31665 comm=kvm requested_mask=r denied_mask=r fsuid=0 ouid=0 Mar 23 19:39:44 node libvirtd: 19:39:44.121: error : qemudOpenMonitorUnix:934 : monitor socket did not show up.: Connection refused Mar 23 19:39:44 node kernel: [13619.797636] type=1400 audit(1300905584.341:96): apparmor=STATUS operation=profile_remove name=libvirt-5872b474-ad53-8708-db86-928a9d6655b6 pid=31731 comm=apparmor_parser -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/545302 Title: allow seabios in libvirt apparmor -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 545302] Re: allow seabios in libvirt apparmor
I made the mistake of assuming that my issue couldn't have been apparmor related because I had executed '/etc/init.d/apparmor stop' to unload profiles to ensure it wasn't an apparmor problem. Apparently this wasn't true, as comment #3 made me go and try the apparmor rules anyway and this resolved the problem after an apparmor restart. -- allow seabios in libvirt apparmor https://bugs.launchpad.net/bugs/545302 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 545302] Re: allow seabios in libvirt apparmor
Thanks for the note RobertO, the same thing happened to me when I upgraded to Lucid, and like you it took me some time to find the problem. Unfortunately as the years go by it seems to me that added Security features have become by far the biggest drain on productivity in all areas of computing. -- allow seabios in libvirt apparmor https://bugs.launchpad.net/bugs/545302 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 545302] Re: allow seabios in libvirt apparmor
David, this is not a particularly helpful comment. The user was running a development release of Ubuntu and we can expect as packaging dependencies change, etc that things can break. This can happen with any feature, not just a security feature. If you have specific problems that affect you, please file a separate bug. -- allow seabios in libvirt apparmor https://bugs.launchpad.net/bugs/545302 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 545302] Re: allow seabios in libvirt apparmor
Just a note to help others -- during my latest dist-upgrade, I was prompted whether or not I wanted to overwrite a particular kvm-related file to add another permissions line for seabios. I was worried about losing other customizations to this file and declined -- neglecting to write down the important change. (Lesson: don't do these things late at night when you're tired!) This of course caused all my virtual machines to refuse to start with the errors shown above. It took QUITE awhile for me to find the file I had to change manually, and it's such a simple change. You must edit /etc/apparmor.d/abstractions/libvert-qemu and add the following line (after line 63, if you haven't already added lines beyond the standard definition); it will be right after a nearly identical line for vgabios: /usr/share/seabios/** r, After adding that line, my VMs were able to start right back up again! -- allow seabios in libvirt apparmor https://bugs.launchpad.net/bugs/545302 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 545302] Re: allow seabios in libvirt apparmor
This bug was fixed in the package libvirt - 0.7.5-5ubuntu15 --- libvirt (0.7.5-5ubuntu15) lucid; urgency=low * debian/apparmor/libvirt-qemu, examples/apparmor/libvirt-qemu: allow seabios in the apparmor profile, LP: #545302 -- Dustin Kirkland kirkl...@ubuntu.com Tue, 23 Mar 2010 11:28:28 -0700 ** Changed in: libvirt (Ubuntu Lucid) Status: In Progress = Fix Released -- allow seabios in libvirt apparmor https://bugs.launchpad.net/bugs/545302 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 545302] Re: allow seabios in libvirt apparmor
Thanks Dustin for your quick help! I confirm that #545004 (and thus this issue) is fixed. -- allow seabios in libvirt apparmor https://bugs.launchpad.net/bugs/545302 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
