http://bugzilla.opensuse.org/show_bug.cgi?id=1065123 http://bugzilla.opensuse.org/show_bug.cgi?id=1065123#c1 James Fehlig <jfehlig@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #1 from James Fehlig <jfehlig@suse.com> --- (In reply to Christian Boltz from comment #0)
testing with Kernel 4.14 rc4 brought up that some more rules need to be added to the usr.sbin.libvirtd AppArmor profile.
Some of these are needed for SLE15 (kernel 4.12.14) as well.
network netlink raw,
signal send set=hup peer=/usr/sbin/dnsmasq, signal send set=(term,kill) peer=unconfined,
These are the ones needed in SLE15. Note that Jamie suggested changing the signal rules to signal (send) peer=/usr/sbin/dnsmasq, signal (send) peer=libvirt-*,
Also, several mount rules are needed - either as a generous "mount," rule (as proposed by intrigeri as a quick fix to allow mounting everything), or with the following detailed rules (which are more restrictive, but might still need some adjustments)
mount options=(rw,rslave) -> /, mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
mount options=(rw, move) /dev/ -> /{var/,}run/libvirt/qemu/*.dev/, mount options=(rw, move) /dev/hugepages/ -> /{var/,}run/libvirt/qemu/*.hugepages/, mount options=(rw, move) /dev/mqueue/ -> /{var/,}run/libvirt/qemu/*.mqueue/, mount options=(rw, move) /dev/pts/ -> /{var/,}run/libvirt/qemu/*.pts/, mount options=(rw, move) /dev/shm/ -> /{var/,}run/libvirt/qemu/*.shm/,
mount options=(rw, move) /{var/,}run/libvirt/qemu/*.dev/ -> /dev/, mount options=(rw, move) /{var/,}run/libvirt/qemu/*.hugepages/ -> /dev/hugepages/, mount options=(rw, move) /{var/,}run/libvirt/qemu/*.mqueue/ -> /dev/mqueue/, mount options=(rw, move) /{var/,}run/libvirt/qemu/*.pts/ -> /dev/pts/, mount options=(rw, move) /{var/,}run/libvirt/qemu/*.shm/ -> /dev/shm/,
intrigeri included these rules in V3 of his series https://www.redhat.com/archives/libvir-list/2017-November/msg00162.html I think patch1 is fine and has essentially already been ACKed by Jamie. I'd prefer Jamie's feedback on patch2 as well, since I'm far from an apparmor expert. Even though they are not yet committed upstream, I'll add these patches to the Factory libvirt package so libvirt will actually work with latest TW and SLE15. -- You are receiving this mail because: You are on the CC list for the bug.