libvirt/libxl: Failing to save guest due to apparmor denial
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
Medium
|
Stefan Bader | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Another glitch when moving from the xm to the xl toolstack: libvirtd needs to run /usr/lib/
/usr/lib/
to the profile. Or even generally allow
/usr/lib/
which would match both xen-common/bin and any xen-<version>/bin.
SRU Justification (for Trusty):
Impact: Apparmor will prevent libvirt to save a Xen guest via libxl because the helper command cannot be executed from libvirtd.
Fix: Add the following rule to the libvirtd apparmor profile:
/usr/
Testcase: Start a (HVM) guest via libvirt, then run save (virsh). This will fail without the additional rule but succeed when it is added.
Changed in libvirt (Ubuntu): | |
status: | New → Confirmed |
assignee: | nobody → Stefan Bader (smb) |
importance: | Undecided → Medium |
Changed in libvirt (Ubuntu): | |
status: | Confirmed → Fix Committed |
After thinking and playing around with it, I think the rules should not be too loose. So will go with:
/usr/lib/ xen-*/bin/ libxl-save- helper PUx,