[Bug 1203976] New: libvirt fails to start machine with efi due to missing apparmor rules

http://bugzilla.opensuse.org/show_bug.cgi?id=1203976 Bug ID: 1203976 Summary: libvirt fails to start machine with efi due to missing apparmor rules Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Virtualization:Other Assignee: virt-bugs@suse.de Reporter: william.brown@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- type=AVC msg=audit(1664852216.614:1786040): apparmor="DENIED" operation="open" profile="libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7" name="/var/lib/libvirt/qemu/nvram/alpdev_VARS.fd" pid=32565 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=471 ouid=471 This is with a machine set to "<os firmare='efi'>". The firmware is from qemu-ovmf. This is a supported value per: virsh domcapabilities --machine pc-q35-6.2 | less <os supported='yes'> <enum name='firmware'> <value>bios</value> <value>efi</value> </enum> It appears that /var/lib/libvirt/qemu/nvram is missing from a read allow list in the dynamic apparmor rules. cat /etc/apparmor.d/libvirt/libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7 # # This profile is for the domain whose UUID matches this file. # #include profile libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7 flags=(attach_disconnected) { #include #include } It is likely that the nvram rule needs to be added to the generated .files that is in use. This is a blocker to testing ALP since it is efi only. -- You are receiving this mail because: You are on the CC list for the bug.