Can't use /var/lib/libvirt/images for whonix images - What to do about apparmor?

KVM
1

In the wiki it is stated:

Source: Whonix for KVM

Well, i don’t have enough disk space in my /var partition and thus want to store the whonix images on a partition of another hard drive which is not mounted by default.

I see that i have to edit the XML files for the storage location.
But what steps do i have to do, to make AppArmor work with it the way it should work?

For example, at the moment my whonix workstation and gateway images are located in:
/media/truecrypt1/whonix/

The folder whonix does have my user account as owner.
And the truecrypt container file is stored on another drive in
/media/drivename/tc/data.tc
This another drive is not mounted by default after booting the system.
The same applies to the truecrypt container file. I only want to open it, when i need to use Whonix and Tor.

What steps do i have to do, to make AppArmor working with this kind of configuration?

2

I can see that the documentation is confusing so I need your help verifying if apparmor does work for images in alternative locations and I’ll fix it up.

Run:
sudo aa-status

and see if you get something like:

processes are in enforce mode :

libvirt-a22e3930-d87a-584e-22b2-1d8950212bac (6089)

Make sure Whonix VMs in the alternate location is the only machines up and running to avoid wrong results.

3

Okay.

I am running Kubuntu 16.04 LTS on this machine and i get the following output:

sudo aa-status
[sudo] Passwort für XXXXXXXX: 
apparmor module is loaded.
28 profiles are loaded.
28 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/freshclam
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/libvirt/virt-aa-helper
   /usr/lib/lightdm/lightdm-guest-session
   /usr/lib/lightdm/lightdm-guest-session//chromium
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/lib/telepathy/mission-control-5
   /usr/lib/telepathy/telepathy-*
   /usr/lib/telepathy/telepathy-*//pxgsettings
   /usr/lib/telepathy/telepathy-*//sanitized_helper
   /usr/lib/telepathy/telepathy-ofono
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   /usr/sbin/ippusbxd
   /usr/sbin/libvirtd
   /usr/sbin/mysqld-akonadi
   /usr/sbin/mysqld-akonadi///usr/sbin/mysqld
   /usr/sbin/tcpdump
   libvirt-2f9fc84b-6054-42b0-bdf9-35be96d1ccd6
   libvirt-2f9fc84b-6054-42b0-bdf9-35be96d1ccd6//qemu_bridge_helper
   libvirt-d241b502-f98b-4e74-8740-61b5877fd3c3
   libvirt-d241b502-f98b-4e74-8740-61b5877fd3c3//qemu_bridge_helper
0 profiles are in complain mode.
10 processes have profiles defined.
10 processes are in enforce mode.
   /sbin/dhclient (3073) 
   /usr/bin/freshclam (1265) 
   /usr/lib/telepathy/mission-control-5 (2412) 
   /usr/sbin/cups-browsed (3567) 
   /usr/sbin/cupsd (3565) 
   /usr/sbin/cupsd (3574) 
   /usr/sbin/libvirtd (1486) 
   /usr/sbin/mysqld-akonadi///usr/sbin/mysqld (2625) 
   libvirt-2f9fc84b-6054-42b0-bdf9-35be96d1ccd6 (7667) 
   libvirt-d241b502-f98b-4e74-8740-61b5877fd3c3 (7554) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

So there’s are two processes called:

Okay. I will also read the articles you mentioned.

At the moment i have edited the XML files, i also had to adjust the file permission
of my /media/truecrypt/whonix/ folder to

with

So that the virtual machine manager was able to access the files.

BTW, the virtual machine manager also changed the owner of the whonix image files from my username to root automatically.

1 Like
4

You’re all set. I will add your permissions step on there. :slight_smile:

5

Thanks a lot for your help.

1 Like