Comment # 11 on bug 1202191 from 
(In reply to Andy Millman from comment #10)
> I rebooted and sadly not working yet.
> When trying to start a VM with apparmor enabled I get the following:
> 
> type=AVC msg=audit(1660224118.236:305): apparmor="DENIED" operation="exec"
> profile="libvirtd" name="/usr/libexec/virt-aa-helper" pid=15720
> comm="rpc-libvirtd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

We are making progress - that's a new error/denial ;-)

The libvirtd profile contains
  /usr/libexec/* PUxr,
which should allow to execute everything in /usr/libexec/ (even if no profile
exists for it, in this case it will run unconfined).

Please check if your /etc/apparmor.d/usr.sbin.libvirtd really includes that
rule (should be in line 109).

(IMHO that rule is too broad and insecure given the large amount of binaries in
/usr/libexec/, but that's another topic.)

Please also show the output of
    ls -l /etc/apparmor.d/usr*virt* /var/cache/apparmor/*/usr*virt*

Wild guess: if your (renamed) usr.sbin.libvirtd kept the timestamp from the
rpm, your profile cache might still have a cache file of the previous profile.
The above "ls -l" will show that.
You can try   touch /etc/apparmor.d/usr.sbin.libvirtd ; rcapparmor reload   to
ensure the cache gets updated - but please do that only _after_ saving the "ls
-l" output.

You are receiving this mail because: