Domain profiles in /etc/apparmor.d/libvirt/ are generated when starting a VM and removed when shutting it down. This does not seems right, because https://gitlab.com/apparmor/apparmor/wikis/Libvirt#advanced-usage says, that If you need to adjust access controls for a single guest, adjust /etc/apparmor.d/libvirt-, where is the UUID of
http://bugzilla.opensuse.org/show_bug.cgi?id=1125841 http://bugzilla.opensuse.org/show_bug.cgi?id=1125841#c8 --- Comment #8 from Martin Kalivoda <supercoolemail@seznam.cz> --- (In reply to James Fehlig from comment #6) the guest Which would be totally useless if it would get removed at shutdown. It is also mentioned here https://doc.opensuse.org/documentation/leap/virtualization/html/book.virt/ch... Now, checking the source code and when this removal you mention was introduced: https://github.com/libvirt/libvirt/commit/eba2225bc52624e748cb875e10962bc4c4... and that it is included also in libvirt 4.0.0 which is in Leap 15 it seem that both documentations are wrong.
Since the libvirt apparmor driver is not loaded, the default security model is 'none'. Setting security_default_confined has no effect when the active model is a no-op. This is unfortuates, because comment makes it sound that this "if apparmor is available" applies only to libvirtd, but qemu instances "will be confined by default" when config is set to nonzero (as the condition does not seem to apply to this part as it is different sentence).
I just installed new Tumbleweed with KVM Host and Virtualization Tools pattern. I changed only security_driver, started libvirt and I get the same error. No other changes were made after installation. -- You are receiving this mail because: You are on the CC list for the bug.