Results 1 to 3 of 3

Thread: libvirt and apparmor

  1. #1
    Join Date
    Aug 2008
    Location
    Belgium
    Posts
    276

    Default libvirt and apparmor

    Hello,

    I'm on Opensuse 13.1 XEN (X86-64).
    I can start successfully a VM with Opensuse 13.1.
    This VM can only start if I set in apparmor the profile usr.sbin.libvirtd to "complain"
    But I receive each second 3 or 4 lines in /var/log/messageswhen i'm connected to the VM
    Code:
    2014-01-02T09:24:17.292265+01:00 hpprol kernel: [301111.708510] type=1400 audit(1388651057.286:291800): apparmor="ALLOWED" operation="sendmsg" parent=1 profile="/usr/sbin/libvirtd//null-18" pid=7163 comm="qemu-system-i38" laddr=127.0.0.1 lport=5900 faddr=127.0.0.1 fport=52546 family="inet" sock_type="stream" protocol=6
    2014-01-02T09:24:17.292291+01:00 hpprol kernel: [301111.708875] type=1400 audit(1388651057.286:291801): apparmor="ALLOWED" operation="recvmsg" parent=1 profile="/usr/sbin/libvirtd//null-18" pid=7163 comm="qemu-system-i38" laddr=127.0.0.1 lport=5900 faddr=127.0.0.1 fport=52546 family="inet" sock_type="stream" protocol=6
    as far as I understand this "warning" it seems related with the connection to the VM . Pid 7163 is
    Code:
     ps -ef |grep 7163
    root      7163     1  0 Jan01 ?        00:03:01 /usr/lib/xen/bin/qemu-system-i386 -xen-domid 1 -chardev socket,id=libxl-cmd,path=/var/run/xen/qmp-libxl-1,server,nowait -mon chardev=libxl-cmd,mode=control -xen-attach -name Samba -vnc 127.0.0.1:0 -k fr-be -M xenpv -m 1025
    and the port 5900 is used by qemu
    Code:
    netstat -tulpn | grep 5900
    tcp        0      0 127.0.0.1:5900          0.0.0.0:*               LISTEN      7163/qemu-system-i3
    Do you know how I can configure apparmor avoiding these error messages?
    Many thanks in advance
    Philippe
    Tumbleweed (x86_64) Kernel 5.16 with KDE plasma

  2. #2
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: libvirt and apparmor

    On 2014-01-02 09:56, phil524 wrote:
    >
    > Hello,
    >
    > I'm on Opensuse 13.1 XEN (X86-64).
    > I can start successfully a VM with Opensuse 13.1.
    > This VM can only start if I set in apparmor the profile
    > usr.sbin.libvirtd to "complain"
    > But I receive each second 3 or 4 lines in /var/log/messageswhen i'm
    > connected to the VM


    Of course, that's the meaning of "complain". If you want to disable a profile, just remove the
    profile, or move it to a backup directory.


    > Do you know how I can configure apparmor avoiding these error messages?


    Bugzilla.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" (Elessar))

  3. #3
    Join Date
    Aug 2008
    Location
    Belgium
    Posts
    276

    Default SOLVED : libvirt and apparmor

    Hello,

    I solved the problem modifying configuration file "/etc/apparmor.d/usr.sbin.libvirtd"
    I work with IPV4
    for the network I had
    Code:
    network inet dgram,
    network inet stream,
    I replaced it by
    Code:
      network inet,
    The warning messages then disappear

    setting apparmor to "enforce" for usr.sbin.libvirtd allows starting the VM with apparmor .

    I think that the default setting for apparmor (strem and dgram) is too restrictive: Maybe my setting is now too wide but it works
    the other options are : seqpacket, rdm, raw, packet: I'll try each of these and see which are needed

    Regards
    Philippe
    Tumbleweed (x86_64) Kernel 5.16 with KDE plasma

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •