[Bug 647664] Re: Unhelpful Security labelling error with read-only floppy image

Tue, 28 Sep 2010 12:25:59 -0700 

Actually, this is happening because virt-aa-helper is exiting with
error. Unfortunately, libvirt does not deal with this in a way that
makes it easy to debug (ie 'Security labelling error').

Eg:
$ cat /tmp/fiddle2.xml | /usr/lib/libvirt/virt-aa-helper -u 
libvirt-fd06659e-3354-cb8e-71d9-cfeeff86e60f -c --dryrun
virt-aa-helper: warning: path does not exist, skipping file type checks
14:07:38.643: warning : virDomainDiskDefForeachPath:7672 : Ignoring open 
failure on /media/more/isos/ubuntu-10.10-beta-desktop-i386.iso: No such file or 
directory
virt-aa-helper: warning: path does not exist, skipping file type checks
14:07:38.643: warning : virDomainDiskDefForeachPath:7672 : Ignoring open 
failure on /dev/main/fiddle2disk: No such file or directory
virt-aa-helper: warning: path does not exist, skipping file type checks
virt-aa-helper: error: /usr/lib/grub-rescue/grub-rescue-floppy.img
virt-aa-helper: error:   skipped restricted file
virt-aa-helper: error: invalid VM definition

Copying grub-rescue-floppy.img to /tmp and adjusting the XML works as expected:
$ cat /tmp/foo.xml | /usr/lib/libvirt/virt-aa-helper -u 
libvirt-fd06659e-3354-cb8e-71d9-cfeeff86e60f -c --dryrun
virt-aa-helper: warning: path does not exist, skipping file type checks
14:16:18.725: warning : virDomainDiskDefForeachPath:7672 : Ignoring open 
failure on /media/more/isos/ubuntu-10.10-beta-desktop-i386.iso: No such file or 
directory
virt-aa-helper: warning: path does not exist, skipping file type checks
14:16:18.726: warning : virDomainDiskDefForeachPath:7672 : Ignoring open 
failure on /dev/main/fiddle2disk: No such file or directory
virt-aa-helper: warning: path does not exist, skipping file type checks
14:16:18.726: warning : virDomainDiskDefForeachPath:7672 : Ignoring open 
failure on /tmp/grub-rescue-floppy.img: No such file or directory
virt-aa-helper:
/etc/apparmor.d/libvirt/libvirt-fd06659e-3354-cb8e-71d9-cfeeff86e60f.files
virt-aa-helper:
  "/var/log/libvirt/**/fiddle2.log" w,
  "/var/lib/libvirt/**/fiddle2.monitor" rw,
  "/var/run/libvirt/**/fiddle2.pid" rwk,
  "/media/more/isos/ubuntu-10.10-beta-desktop-i386.iso" r,
  # don't audit writes to readonly files
  deny "/media/more/isos/ubuntu-10.10-beta-desktop-i386.iso" w,
  "/dev/main/fiddle2disk" rw,
  "/tmp/grub-rescue-floppy.img" r,
  # don't audit writes to readonly files
  deny "/tmp/grub-rescue-floppy.img" w,

virt-aa-helper:
/etc/apparmor.d/libvirt/libvirt-fd06659e-3354-cb8e-71d9-cfeeff86e60f
virt-aa-helper:
libvirt-fd06659e-3354-cb8e-71d9-cfeeff86e60f
virt-aa-helper:
  #include <libvirt/libvirt-fd06659e-3354-cb8e-71d9-cfeeff86e60f.files>


** Changed in: libvirt (Ubuntu)
       Status: Incomplete => Triaged

-- 
Unhelpful Security labelling error with read-only floppy image
https://bugs.launchpad.net/bugs/647664
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Reply via email to