Ubuntu
libvirt package

allow seabios in libvirt apparmor

Bug #545302 reported by Dustin Kirkland 
28
This bug affects 7 people
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
High
Dustin Kirkland 
Lucid
Fix Released
High
Dustin Kirkland 

Bug Description

In Bug #541524, Id2ndR wrote 4 hours ago:
  Actually this change is responsible of an new trouble with apparmor.

  Extract of /var/log/syslog:
  Mar 23 14:19:13 kiwi kernel: [ 7025.583776] type=1503 audit(1269350353.212:49): operation="open" pid=17840 parent=1 profile="libvirt- f25941b5-8a0b-086a-888e-fe8570f0487d" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/usr/share/seabios/bios.bin"
[..]
  Mar 23 14:19:13 kiwi libvirtd: 14:19:13.401: error : qemudWaitForMonitor:1536 : internal error unable to start guest: char device redirected to /dev/pts/2#012qemu: could not load PC BIOS 'bios.bin'#012

Related branches

lp:ubuntu/lucid/libvirt
Dustin Kirkland  (kirkland)
Changed in libvirt (Ubuntu):
importance: Undecided → High
assignee: nobody → Dustin Kirkland (kirkland)
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 0.7.5-5ubuntu15

---------------
libvirt (0.7.5-5ubuntu15) lucid; urgency=low

  * debian/apparmor/libvirt-qemu, examples/apparmor/libvirt-qemu:
    allow seabios in the apparmor profile, LP: #545302
 -- Dustin Kirkland <email address hidden> Tue, 23 Mar 2010 11:28:28 -0700

Changed in libvirt (Ubuntu Lucid):
status: In Progress → Fix Released
Revision history for this message
Axel (naxel) wrote :

Thanks Dustin for your quick help! I confirm that #545004 (and thus this issue) is fixed.

Revision history for this message
RobertO (rlo-launchpad) wrote :

Just a note to help others -- during my latest dist-upgrade, I was prompted whether or not I wanted to overwrite a particular kvm-related file to add another permissions line for seabios. I was worried about losing other customizations to this file and declined -- neglecting to write down the important change. (Lesson: don't do these things late at night when you're tired!)

This of course caused all my virtual machines to refuse to start with the errors shown above. It took QUITE awhile for me to find the file I had to change manually, and it's such a simple change.

You must edit /etc/apparmor.d/abstractions/libvert-qemu and add the following line (after line 63, if you haven't already added lines beyond the standard definition); it will be right after a nearly identical line for vgabios:

  /usr/share/seabios/** r,

After adding that line, my VMs were able to start right back up again!

Revision history for this message
David Varley (davidavarley) wrote :

Thanks for the note RobertO, the same thing happened to me when I upgraded to Lucid, and like you it took me some time to find the problem. Unfortunately as the years go by it seems to me that added "Security" features have become by far the biggest drain on productivity in all areas of computing.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

David, this is not a particularly helpful comment. The user was running a development release of Ubuntu and we can expect as packaging dependencies change, etc that things can break. This can happen with any feature, not just a security feature. If you have specific problems that affect you, please file a separate bug.

Revision history for this message
Bryan McLellan (btm) wrote :

I made the mistake of assuming that my issue couldn't have been apparmor related because I had executed '/etc/init.d/apparmor stop' to unload profiles to ensure it wasn't an apparmor problem. Apparently this wasn't true, as comment #3 made me go and try the apparmor rules anyway and this resolved the problem after an apparmor restart.

Revision history for this message
rowez (info-rowez) wrote :

On 23 mrt 2011 the next happend:

It is in qemu-kvm: 0.12.5+noroms-0ubuntu7.1

/<email address hidden> is symlinked to /usr/share/seabios/bios.bin

Using seabios version 0.6.0-0ubuntu1

Log in /var/log/libvirt/qemu/ give me:

LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin HOME=/home/user USER=root LOGNAME=root /usr/bin/kvm -S -M pc-0.12 -cpu qemu32 -m 256 -smp 1 -name a -uuid 6e83fecc-97a9-5118-525a-43d5af0b58b7 -monitor unix:/var/run/libvirt/qemu/a.monitor,server,nowait -boot c -drive file=/home/user/Bureaublad/Cloud/test/1.img,if=ide,index=0,boot=on -net none -serial none -parallel none -usb -vga cirrus
qemu: could not load PC BIOS 'bios.bin'

In /var/log/syslog:

Mar 23 18:42:31 node kernel: [10186.888201] type=1400 audit(1300902151.431:36): apparmor="STATUS" operation="profile_load" name="libvirt-6e83fecc-97a9-5118-525a-43d5af0b58b7" pid=24558 comm="apparmor_parser"
Mar 23 18:42:31 node kernel: [10187.015990] type=1400 audit(1300902151.561:37): apparmor="DENIED" operation="open" parent=1 profile="libvirt-6e83fecc-97a9-5118-525a-43d5af0b58b7" name="/usr/share/seabios/bios.bin" pid=24562 comm="kvm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Mar 23 18:43:01 node libvirtd: 18:43:01.488: error : qemudOpenMonitorUnix:934 : monitor socket did not show up.: Connection refused
Mar 23 18:43:01 node kernel: [10217.292118] type=1400 audit(1300902181.841:38): apparmor="STATUS" operation="profile_remove" name="libvirt-6e83fecc-97a9-5118-525a-43d5af0b58b7" pid=24626 comm="apparmor_parser"

Revision history for this message
rowez (info-rowez) wrote :

In /etc/apparmor.d/abstractions:

Using libvirt-qemu and add /usr/share/seabios/** r, on row 59 (after /usr/share/vgabios/** r,)

Restart apparmor and virsh!

In /var/log/syslog:

With /usr/share/seabios/** r, in /etc/appamor.d/abstractions/libvirt-qemu:

Mar 23 19:36:24 node kernel: [13419.727042] type=1400 audit(1300905384.271:76): apparmor="STATUS" operation="profile_load" name="libvirt-5872b474-ad53-8708-db86-928a9d6655b6" pid=31215 comm="apparmor_parser"
Mar 23 19:36:24 node kernel: [13419.834767] type=1400 audit(1300905384.381:77): apparmor="DENIED" operation="open" parent=1 profile="libvirt-5872b474-ad53-8708-db86-928a9d6655b6" name="/dev/fb0" pid=31218 comm="kvm" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0
Mar 23 19:36:54 node libvirtd: 19:36:54.326: error : qemudOpenMonitorUnix:934 : monitor socket did not show up.: Connection refused
Mar 23 19:36:54 node kernel: [13450.036528] type=1400 audit(1300905414.581:78): apparmor="STATUS" operation="profile_remove" name="libvirt-5872b474-ad53-8708-db86-928a9d6655b6" pid=31294 comm="apparmor_parser"

Ubuntu default:

Mar 23 19:39:14 node kernel: [13589.524010] type=1400 audit(1300905554.071:94): apparmor="STATUS" operation="profile_load" name="libvirt-5872b474-ad53-8708-db86-928a9d6655b6" pid=31662 comm="apparmor_parser"
Mar 23 19:39:14 node kernel: [13589.629753] type=1400 audit(1300905554.171:95): apparmor="DENIED" operation="open" parent=1 profile="libvirt-5872b474-ad53-8708-db86-928a9d6655b6" name="/usr/share/seabios/bios.bin" pid=31665 comm="kvm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Mar 23 19:39:44 node libvirtd: 19:39:44.121: error : qemudOpenMonitorUnix:934 : monitor socket did not show up.: Connection refused
Mar 23 19:39:44 node kernel: [13619.797636] type=1400 audit(1300905584.341:96): apparmor="STATUS" operation="profile_remove" name="libvirt-5872b474-ad53-8708-db86-928a9d6655b6" pid=31731 comm="apparmor_parser"

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

What Ubuntu release and libvirt version are you using? The apparmor libvirt-qemu file shipped with maverick (which is where qemu 0.12.5 is shipped) has:

  /usr/share/vgabios/** r,
  /usr/share/seabios/** r,

on lines 67 and 68.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.