Bug ID 1203976
Summary libvirt fails to start machine with efi due to missing apparmor rules
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.4
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Virtualization:Other
Assignee virt-bugs@suse.de
Reporter william.brown@suse.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

type=AVC msg=audit(1664852216.614:1786040): apparmor="DENIED" operation="open"
profile="libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7"
name="/var/lib/libvirt/qemu/nvram/alpdev_VARS.fd" pid=32565
comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=471 ouid=471

This is with a machine set to "<os firmare='efi'>". The firmware is from
qemu-ovmf. This is a supported value per:

virsh domcapabilities --machine pc-q35-6.2 | less

  <os supported='yes'>
    <enum name='firmware'>
      <value>bios</value>
      <value>efi</value>
    </enum>


It appears that /var/lib/libvirt/qemu/nvram is missing from a read allow list
in the dynamic apparmor rules. 


 cat /etc/apparmor.d/libvirt/libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7
#
# This profile is for the domain whose UUID matches this file.
#

#include <tunables/global>

profile libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7
flags=(attach_disconnected) {
  #include <abstractions/libvirt-qemu>
  #include <libvirt/libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7.files>

}

It is likely that the nvram rule needs to be added to the generated .files that
is in use. 

This is a blocker to testing ALP since it is efi only.

You are receiving this mail because: