http://bugzilla.opensuse.org/show_bug.cgi?id=1065123 Bug ID: 1065123 Summary: libvirtd AppArmor profile: more additions for Kernel 4.14 Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: openSUSE 42.2 Status: NEW Severity: Normal Priority: P5 - None Component: Virtualization:Other Assignee: jfehlig@suse.com Reporter: suse-beta@cboltz.de QA Contact: qa-bugs@suse.de Found By: Beta-Customer Blocker: --- Hi Jim, testing with Kernel 4.14 rc4 brought up that some more rules need to be added to the usr.sbin.libvirtd AppArmor profile. Note that this partially overlaps with the patch intrigeri (AppArmor maintainer in Debian) sent: https://www.redhat.com/archives/libvir-list/2017-October/msg01153.html I needed to add the following network and signal rules: network netlink raw, signal send set=hup peer=/usr/sbin/dnsmasq, signal send set=(term,kill) peer=unconfined, Also, several mount rules are needed - either as a generous "mount," rule (as proposed by intrigeri as a quick fix to allow mounting everything), or with the following detailed rules (which are more restrictive, but might still need some adjustments) mount options=(rw,rslave) -> /, mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/, mount options=(rw, move) /dev/ -> /{var/,}run/libvirt/qemu/*.dev/, mount options=(rw, move) /dev/hugepages/ -> /{var/,}run/libvirt/qemu/*.hugepages/, mount options=(rw, move) /dev/mqueue/ -> /{var/,}run/libvirt/qemu/*.mqueue/, mount options=(rw, move) /dev/pts/ -> /{var/,}run/libvirt/qemu/*.pts/, mount options=(rw, move) /dev/shm/ -> /{var/,}run/libvirt/qemu/*.shm/, mount options=(rw, move) /{var/,}run/libvirt/qemu/*.dev/ -> /dev/, mount options=(rw, move) /{var/,}run/libvirt/qemu/*.hugepages/ -> /dev/hugepages/, mount options=(rw, move) /{var/,}run/libvirt/qemu/*.mqueue/ -> /dev/mqueue/, mount options=(rw, move) /{var/,}run/libvirt/qemu/*.pts/ -> /dev/pts/, mount options=(rw, move) /{var/,}run/libvirt/qemu/*.shm/ -> /dev/shm/, BTW: according to my audit.log *), libvirtd still uses /var/run/ for these mounts. It might be a good idea to change the code to use /run/, but that's a completely different issue ;-) *) For historic reasons my /var/run/ is a bind-mount to /run/ so that I can see the difference in the audit.log. If your /var/run/ is a symlink to /run/, you'll only see /run/ in the audit.log because AppArmor resolves symlinks first. -- You are receiving this mail because: You are on the CC list for the bug.