apparmor denies save and restore

This may be better:

  # for save and resume
  #include <abstractions/private-files-strict>
  /bin/dash rmix,
  /bin/dd rmix,
  /bin/cat rmix,
  # 'owner' makes sure we don't overwrite the user's files (ie, if the file
  # exists, it must be owned by 'root')
  owner @{HOME}/ r,
  owner @{HOME}/** rw,
  owner /var/tmp/** rw,
  owner /var/tmp/ rw,
  owner /tmp/** rw,
  owner /tmp/ rw,

Err:
  # for save and resume
  #include <abstractions/private-files-strict>
  /bin/dash rmix,
  /bin/dd rmix,
  /bin/cat rmix,
  # 'owner' makes sure we don't overwrite the user's files (ie, if the file
  # exists, it must be owned by 'root')
  owner @{HOME}/ r,
  owner @{HOME}/** rw,
  owner /var/tmp/** rw,
  owner /var/tmp/ r,
  owner /tmp/** rw,
  owner /tmp/ r,

This also affects the selinux svirt driver. According to upstream, the svirt driver needs to be modified to 'relabel' the specified state file. Until this is fixed upstream, we can temporarily work around this with documentation and profiling.

I'll provide a workaround in an SRU after 9.10 release.

In retrospect, this loss of functionality is likely important to users and it would be best to get it in before release if possible. Subscribing ubuntu-release. The final workaround is a simple profile adjustment:
  # for save and resume
  /bin/dash rmix,
  /bin/dd rmix,
  /bin/cat rmix,

  # workaround https://launchpad.net/bugs/457716. The svirt driver does not
  # relabel the state file (https://bugzilla.redhat.com/show_bug.cgi?id=529363)
  # resulting in denied messages. The below works around this somewhat by
  # allowing users to save state files in their home directories. We use
  # 'owner' to make sure we don't overwrite the user's files. This will be
  # removed when the upstream bug is fixed.
  #include <abstractions/private-files-strict>
  owner @{HOME}/ r,
  owner @{HOME}/** rw,

This bug was fixed in the package libvirt - 0.7.0-1ubuntu13

---------------
libvirt (0.7.0-1ubuntu13) karmic; urgency=low

  * allow save/restore to work in $HOME. This is a workaround until upstream
    https://bugzilla.redhat.com/show_bug.cgi?id=529363 is fixed. (LP: #457716)
  * debian/libvirt-bin.cron.daily: don't comlain if no domain XML definitions
    or domain AppArmor profiles. Based on work by Loïc Minier. (LP: #457607)

 -- Jamie Strandboge <email address hidden> Fri, 23 Oct 2009 03:52:33 -0500

I might be affected this problem though I installed released version of Ubuntu 9.10.

Phenomenon:
I executed next command in "sudo su -".

# virsh save VM_NAME STATE_FILE

This command never finish and make block other libvirt related programs like virt-top or virt-manager, and virsh, of course. I must enter ^C to get back command prompt.

Reproduction:
This problem is reproduced on newly installed and upgraded from 9.04 machines.

Enviroment:
I am using newly installed and upgraded Ubuntu 9.10 (64 bit Server ed.)
"uname -r" is 2.6.31-14-server
libvirt(libvirt-bin, libvirt0, python-libvirt) version is 0.7.0-1ubuntu13. This version number was get from "dpkg -l | grep libvirt".

Thank you.

The apparmor profile in Ubuntu works around the upstream bug, which lacks the proper functionality. Look in your /var/log/kern.log, you are probably trying to save the file outside of the allowed location. See /etc/apparmor.d/abstractions/libvirt-qemu for details.

Basically, you can write state files in your home directory if you own them. If this does not fit your workflow, please update /etc/apparmor.d/abstractions/libvirt-qemu for the location(s) you want to give write access until this functionality is properly implemented in libvirt itself.

Thank you for your advice.

I was able to save VM's state file under my own HOME directory.

I also tried to modify the apparmor configuration file(/etc/apparmor.d/abstractions/libvirt-qemu) and was able to make state files in where specified by the configuration file.

I have developed a proper fix for this for Lucid as part of the security-lucid-libvirt-apparmor-devel blueprint. As such, I added a Lucid task and marked In Progress.

Is bug #523148 related to apparmor?

Seems unrelated. Check kern.log for denials to be sure.

I'm going to unmilestone this since it mostly depends on bug #553737. If that bug is fixed, I can add my upstream work to it, otherwise this may have to wait until lucid+1.

Changes are too big for Lucid. This will be fixed in Maverick and upstream libvirt 0.7.8.

This bug was fixed in the package libvirt - 0.8.1-2ubuntu1

---------------
libvirt (0.8.1-2ubuntu1) maverick; urgency=low

  * Merge from debian unstable. Remaining changes:
    - Fixes:
      LP: #522845
      LP: #553737
      LP: #520386
    - debian/control:
      + Build-Depends on qemu-kvm, not qemu
      + Build-Depends on open-iscsi-utils, not open-iscsi
      + Build-Depends on libxml2-utils
      + Build-Depends on libapparmor-dev and Suggests apparmor
      + Bump bridge-utils, dnsmasq-base, netcat-openbsd, and iptables
        to Depends of libvirt-bin
      + Drop qemu-kvm and qemu to Suggests
      + We call libxen-dev libxen3-dev, so change all references
      + Rename Vcs-* to XS-Debian-Vcs-*
    - debian/libvirt-bin.postinst:
      + rename the libvirt group to libvirtd
      + add each admin user to the libvirtd group
      + reload apparmor profiles
    - debian/libvirt-bin.postrm:
      + rename the libvirt group to libvirtd
      + remove apparmor symlinks on purge
    - debian/README.Debian: add AppArmor section based on the upstream
      documentation
    - debian/rules:
      + update DEB_DH_INSTALLINIT_ARGS for upstart
      + add DEB_MAKE_CHECK_TARGET := check
      + use --with-apparmor
      + copy apparmor and apport hook to debian/tmp
    - add debian/libvirt-bin.upstart
    - debian/libvirt-bin.dirs: add /etc/apparmor.d/abstractions,
      /etc/apparmor.d/disable, /etc/apparmor.d/force-complain,
      /etc/apparmor.d/libvirt, /etc/cron.daily and
      /usr/share/apport/package-hooks
    - add debian/libvirt-bin.cron.daily
    - add debian/libvirt-bin.apport
    - debian/libvirt-bin.install: install apparmor profiles, abstractions
      and apport hook
    - debian/apparmor:
      - add TEMPLATE
      - add libvirt-qemu abstraction
      - add usr.lib.libvirt.virt-aa-helper
      - add usr.sbin.libvirtd
    - debian/patches/series:
      + don't apply 0002-qemu-disable-network.diff.patch
      + don't apply 0005-Terminate-nc-on-EOF.patch. Use
        9010-autodetect-nc-params.patch instead
      + 9000-delayed_iff_up_bridge.patch (refreshed)
      + 9001-dont_clobber_existing_bridges.patch
      + 9002-better_default_uri_virsh.patch (updated)
      + 9004-better-default-arch.patch
      + 9005-libvirtd-group-name.patch
      + 9006-increase-unix-socket-timeout.patch (refreshed)
      + 9007-default-config-test-case.patch (updated)
      + 9008-fix-daemon-conf-ftbfs.patch (rewritten)
      + 9009-run-as-root-by-default.patch (refreshed)
      + 9010-autodetect-nc-params.patch (refreshed, formerly 9015)
      + 9011-dont-disable-ipv6.patch (updated)
  * Dropped following packaging changes, no longer required with upgrades
    from Lucid:
    - debian/control:
      + versioned Conflicts/Replaces to libvirt0 for libvirt0-dbg
      + remove Build-Depends on libcap-ng-dev
    - debian/libvirt-bin.postinst: virt-aa-helper profile migration to
      /usr/lib/libvirt
    - debian/libvirt-bin.preinst: added to force complain on certain
      upgrades
  * Dropped the following patches, included upstream:
    - 0010-Use-base-16-for-product-vendor.patch
    - 9003-increase-logoutput-timeout.patch
    - 9010-apparmor-ftbfs...