http://bugzilla.opensuse.org/show_bug.cgi?id=1203976
http://bugzilla.opensuse.org/show_bug.cgi?id=1203976#c2
--- Comment #2 from James Fehlig
type=AVC msg=audit(1664852216.614:1786040): apparmor="DENIED" operation="open" profile="libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7" name="/var/lib/libvirt/qemu/nvram/alpdev_VARS.fd" pid=32565 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=471 ouid=471
This is with a machine set to "<os firmare='efi'>". The firmware is from qemu-ovmf. This is a supported value per:
virsh domcapabilities --machine pc-q35-6.2 | less
<os supported='yes'> <enum name='firmware'> <value>bios</value> <value>efi</value> </enum>
It appears that /var/lib/libvirt/qemu/nvram is missing from a read allow list in the dynamic apparmor rules.
cat /etc/apparmor.d/libvirt/libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7 # # This profile is for the domain whose UUID matches this file. #
#include
profile libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7 flags=(attach_disconnected) { #include
#include }
It is likely that the nvram rule needs to be added to the generated .files that is in use.
The libvirt-qemu abstraction should provide rules for those files. Does yours have /usr/share/qemu/** r, owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk, -- You are receiving this mail because: You are on the CC list for the bug.