Hi Jim,
testing with Kernel 4.14 rc4 brought up that some more rules need to be added
to the usr.sbin.libvirtd AppArmor profile.
Note that this partially overlaps with the patch intrigeri (AppArmor maintainer
in Debian) sent:
https://www.redhat.com/archives/libvir-list/2017-October/msg01153.html
I needed to add the following network and signal rules:
network netlink raw,
signal send set=hup peer=/usr/sbin/dnsmasq,
signal send set=(term,kill) peer=unconfined,
Also, several mount rules are needed - either as a generous "mount," rule (as
proposed by intrigeri as a quick fix to allow mounting everything), or with the
following detailed rules (which are more restrictive, but might still need some
adjustments)
mount options=(rw,rslave) -> /,
mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
mount options=(rw, move) /dev/ -> /{var/,}run/libvirt/qemu/*.dev/,
mount options=(rw, move) /dev/hugepages/ ->
/{var/,}run/libvirt/qemu/*.hugepages/,
mount options=(rw, move) /dev/mqueue/ ->
/{var/,}run/libvirt/qemu/*.mqueue/,
mount options=(rw, move) /dev/pts/ -> /{var/,}run/libvirt/qemu/*.pts/,
mount options=(rw, move) /dev/shm/ -> /{var/,}run/libvirt/qemu/*.shm/,
mount options=(rw, move) /{var/,}run/libvirt/qemu/*.dev/ -> /dev/,
mount options=(rw, move) /{var/,}run/libvirt/qemu/*.hugepages/ ->
/dev/hugepages/,
mount options=(rw, move) /{var/,}run/libvirt/qemu/*.mqueue/ ->
/dev/mqueue/,
mount options=(rw, move) /{var/,}run/libvirt/qemu/*.pts/ -> /dev/pts/,
mount options=(rw, move) /{var/,}run/libvirt/qemu/*.shm/ -> /dev/shm/,
BTW: according to my audit.log *), libvirtd still uses /var/run/ for these
mounts. It might be a good idea to change the code to use /run/, but that's a
completely different issue ;-)
*) For historic reasons my /var/run/ is a bind-mount to /run/ so that I can see
the difference in the audit.log. If your /var/run/ is a symlink to /run/,
you'll only see /run/ in the audit.log because AppArmor resolves symlinks
first.