https://bugzilla.suse.com/show_bug.cgi?id=1208567 https://bugzilla.suse.com/show_bug.cgi?id=1208567#c9 William Brown <william.brown@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(william.brown@sus | |e.com) | --- Comment #9 from William Brown <william.brown@suse.com> --- (In reply to David Disseldorp from comment #6)
(In reply to David Disseldorp from comment #5)
(In reply to David Disseldorp from comment #3) ...
Putting it on my queue. My initial impression is that some changes to virt-aa-helper are needed to permit the file locking.
Actually, it looks like what's needed here is a follow up to the boo#1203976 7aec69b7-apparmor-Fix-QEMU-access-for-UEFI.patch which permits locking of qemu-ovmf-x86_64 paths installed under /usr/share/qemu/ovmf-*.bin . It looks as though this edk2/OVMF path is somewhat SUSE-unique, which would explain why this didn't make it into the upstream profile.
@William: please try manually changing the profile at /etc/apparmor.d/abstractions/libvirt-qemu :
@@ -90,7 +90,7 @@ /usr/share/proll/** r, /usr/share/qemu-efi/** r, /usr/share/qemu-kvm/** r, - /usr/share/qemu/** r, + /usr/share/qemu/** rk, /usr/share/seabios/** r, /usr/share/sgabios/** r, /usr/share/slof/** r,
Then as root reload the profile (reload of all profiles is probably easiest):
Will this prevent successful upgrading of the profile in future though? That file is owned by libvirt-daemon-8.0.0-150400.7.3.1.x86_64, and is listed as a config file meaning that if I modify it, rpm will no longer alter or upgrade the content going forward. So I think i'd rather just wait for an update. -- You are receiving this mail because: You are on the CC list for the bug.