Bug ID 1131749
Summary apparmor prevents libvirt to attach-device
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.0
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter matwey.kornilov@gmail.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

Hello,

I am running openSUSE Leap 15.0

libvirt-daemon-4.0.0-lp150.7.6.1.x86_64
apparmor-profiles-2.12.2-lp150.6.11.2.noarch

When /usr/sbin/libvirtd is in enforced mode, I cannot attach host USB device to
running virtual machine. When I try to use attach-device command in virsh
console, I see "internal error: child reported: Kernel does not provide mount
namespace: Permission denied"

When /usr/sbin/libvirtd is in complain mode, then the device is attached
successfully using attach-device command.

The following lines from /var/log/audit/audit.log may be relevant to the issue:

type=AVC msg=audit(1554525633.687:447): apparmor="STATUS"
operation="profile_replace" profile="unconfined" name="/usr/sbin/libvirtd"
pid=6675 comm="apparmor_parser"
type=AVC msg=audit(1554525633.707:448): apparmor="STATUS"
operation="profile_replace" profile="unconfined"
name="/usr/sbin/libvirtd//qemu_bridge_helper" pid=6675 comm="apparmor_parser"
type=AVC msg=audit(1554525683.639:449): apparmor="ALLOWED" operation="ptrace"
profile="/usr/sbin/libvirtd" pid=6693 comm="libvirtd" requested_mask="read"
denied_mask="read" peer="unconfined"
type=VIRT_RESOURCE msg=audit(1554525683.639:450): pid=1981 uid=0
auid=4294967295 ses=4294967295 msg='virt=kvm resrc=cgroup reason=allow
vm="development_leap" uuid=04e2240b-63f9-40e4-a610-aff2d360e8bf
cgroup="/sys/fs/cgroup/devices/machine/qemu-5-developmentleap.libvirt-qemu/"
class=path path="/dev/bus/usb/001/005" rdev=BD:04 acl=rw
exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1554525683.639:451): apparmor="ALLOWED" operation="ptrace"
profile="/usr/sbin/libvirtd" pid=6694 comm="libvirtd" requested_mask="read"
denied_mask="read" peer="unconfined"
type=VIRT_RESOURCE msg=audit(1554525683.643:452): pid=1981 uid=0
auid=4294967295 ses=4294967295 msg='virt=kvm resrc=dev reason=attach
vm="development_leap" uuid=04e2240b-63f9-40e4-a610-aff2d360e8bf bus=usb
device="001.005" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=?
res=success'

You are receiving this mail because: