libvirt and apparmor

phil524 · January 2, 2014, 9:54am

Hello,

I’m on Opensuse 13.1 XEN (X86-64).
I can start successfully a VM with Opensuse 13.1.
This VM can only start if I set in apparmor the profile usr.sbin.libvirtd to “complain”
But I receive each second 3 or 4 lines in /var/log/messageswhen i’m connected to the VM

2014-01-02T09:24:17.292265+01:00 hpprol kernel: [301111.708510] type=1400 audit(1388651057.286:291800): apparmor="ALLOWED" operation="sendmsg" parent=1 profile="/usr/sbin/libvirtd//null-18" pid=7163 comm="qemu-system-i38" laddr=127.0.0.1 lport=5900 faddr=127.0.0.1 fport=52546 family="inet" sock_type="stream" protocol=6
2014-01-02T09:24:17.292291+01:00 hpprol kernel: [301111.708875] type=1400 audit(1388651057.286:291801): apparmor="ALLOWED" operation="recvmsg" parent=1 profile="/usr/sbin/libvirtd//null-18" pid=7163 comm="qemu-system-i38" laddr=127.0.0.1 lport=5900 faddr=127.0.0.1 fport=52546 family="inet" sock_type="stream" protocol=6

as far as I understand this “warning” it seems related with the connection to the VM . Pid 7163 is

 ps -ef |grep 7163
root      7163     1  0 Jan01 ?        00:03:01 /usr/lib/xen/bin/qemu-system-i386 -xen-domid 1 -chardev socket,id=libxl-cmd,path=/var/run/xen/qmp-libxl-1,server,nowait -mon chardev=libxl-cmd,mode=control -xen-attach -name Samba -vnc 127.0.0.1:0 -k fr-be -M xenpv -m 1025

and the port 5900 is used by qemu

netstat -tulpn | grep 5900
tcp        0      0 127.0.0.1:5900          0.0.0.0:*               LISTEN      7163/qemu-system-i3

Do you know how I can configure apparmor avoiding these error messages?
Many thanks in advance
Philippe

robin_listas · January 2, 2014, 11:33am

On 2014-01-02 09:56, phil524 wrote:
>
> Hello,
>
> I’m on Opensuse 13.1 XEN (X86-64).
> I can start successfully a VM with Opensuse 13.1.
> This VM can only start if I set in apparmor the profile
> usr.sbin.libvirtd to “complain”
> But I receive each second 3 or 4 lines in /var/log/messageswhen i’m
> connected to the VM

Of course, that’s the meaning of “complain”. If you want to disable a profile, just remove the
profile, or move it to a backup directory.

> Do you know how I can configure apparmor avoiding these error messages?

Bugzilla.

–
Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” (Elessar))

phil524 · January 4, 2014, 11:07am

Hello,

I solved the problem modifying configuration file “/etc/apparmor.d/usr.sbin.libvirtd”
I work with IPV4
for the network I had

network inet dgram,
network inet stream,

I replaced it by

  network inet,

The warning messages then disappear

setting apparmor to “enforce” for usr.sbin.libvirtd allows starting the VM with apparmor ;).

I think that the default setting for apparmor (strem and dgram) is too restrictive: Maybe my setting is now too wide but it works
the other options are : seqpacket, rdm, raw, packet: I’ll try each of these and see which are needed

Regards
Philippe