Ubuntu
libvirt package

libvirt apparmor policy does not allow /lib/udev/scsi_id

Bug #992378 reported by Richard Laager
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
Medium
Unassigned
Precise
Fix Released
Undecided
Unassigned
Quantal
Fix Released
Medium
Unassigned

Bug Description

================================================
SRU Justification:
1. Impact: virtual machines using an iSCSI storage pool do not work
2. Development fix: allow libvirt to execute /lib/udev/scsi_id
3. Stable fix: same as development fix
4. Test case: use an iscsi storage pool as backing store for a vm in
libvirt, and try to start it.
5. Regression potential: if there were a syntax error in the update, the
apparmor policy could refuse to load. Otherwise none.
================================================
When using an iSCSI storage pool, libvirt tries to run /lib/udev/scsi_id, which is denied:

type=1400 audit(1335826589.499:26): apparmor="DENIED" operation="exec" parent=29400 profile="/usr/sbin/libvirtd" name="/lib/udev/scsi_id" pid=30552 comm="libvirtd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

The apparmor policy should allow execution of /lib/udev/scsi_id.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: libvirt-bin 0.9.8-2ubuntu17
ProcVersionSignature: Ubuntu 3.2.0-24.37-generic 3.2.14
Uname: Linux 3.2.0-24-generic x86_64
ApportVersion: 2.0.1-0ubuntu7
Architecture: amd64
Date: Mon Apr 30 23:49:46 2012
InstallationMedia: Ubuntu-Server 12.04 LTS "Precise Pangolin" - Release amd64 (20120424.1)
ProcEnviron:
 TERM=xterm
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.apparmor.d.local.usr.sbin.libvirtd:
 # Site-specific additions and overrides for usr.sbin.libvirtd.
 # For more details, please see /etc/apparmor.d/local/README.
 /lib/udev/scsi_id PUx,
modified.conffile..etc.logrotate.d.libvirtd: [modified]
modified.conffile..etc.logrotate.d.libvirtd.lxc: [modified]
modified.conffile..etc.logrotate.d.libvirtd.qemu: [modified]
modified.conffile..etc.logrotate.d.libvirtd.uml: [modified]
mtime.conffile..etc.apparmor.d.local.usr.sbin.libvirtd: 2012-04-30T21:41:20.815809
mtime.conffile..etc.logrotate.d.libvirtd: 2012-04-30T17:53:14.571061
mtime.conffile..etc.logrotate.d.libvirtd.lxc: 2012-04-30T17:53:14.575062
mtime.conffile..etc.logrotate.d.libvirtd.qemu: 2012-04-30T17:53:14.575062
mtime.conffile..etc.logrotate.d.libvirtd.uml: 2012-04-30T17:53:14.579062

See original description
Revision history for this message
Richard Laager (rlaager) wrote :
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks for reporting this bug.

To work around it you should be able to add

/lib/udev/scsi_id PUx

to your /etc/apparmor.d/local/usr.sbin.libvirtd file. If that does not suffice, that is, if you end up with a new denial message, please do let us know.

Changed in libvirt (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Richard Laager (rlaager) wrote :

I did. That file was attached to this bug report. I don't get any other denials.

Serge Hallyn (serge-hallyn)
Changed in libvirt (Ubuntu Quantal):
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 0.9.8-2ubuntu18

---------------
libvirt (0.9.8-2ubuntu18) quantal; urgency=low

  * debian/apparmor/usr.sbin.libvirtd: allow execution of /lib/udev/scsi_id
    (LP: #992378)
 -- Serge Hallyn <email address hidden> Wed, 02 May 2012 14:02:32 -0500

Changed in libvirt (Ubuntu Quantal):
status: In Progress → Fix Released
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks, Richard. I've uploaded the fix for quantal. To permit the SRU for precise, could you check the 'test case' ('#4') in the sru justification in the description and make sure it's right? I've pushed the tree to precise-proposed, but will wait for your ok to subscribe the ubuntu-sru team to this bug.

description: updated
Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Hello Richard, or anyone else affected,

Accepted libvirt into precise-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in libvirt (Ubuntu Precise):
status: New → Fix Committed
tags: added: verification-needed
Revision history for this message
Richard Laager (rlaager) wrote :

The package in precise-proposed looks good.

Martin Pitt (pitti)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 0.9.8-2ubuntu17.1

---------------
libvirt (0.9.8-2ubuntu17.1) precise-proposed; urgency=low

  * debian/apparmor/usr.sbin.libvirtd: allow execution of /lib/udev/scsi_id
    (LP: #992378)
 -- Serge Hallyn <email address hidden> Wed, 02 May 2012 14:02:32 -0500

Changed in libvirt (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.