Comment # 1
on bug 1065123
from James Fehlig
(In reply to Christian Boltz from comment #0)
> testing with Kernel 4.14 rc4 brought up that some more rules need to be
> added to the usr.sbin.libvirtd AppArmor profile.
Some of these are needed for SLE15 (kernel 4.12.14) as well.
> network netlink raw,
>
> signal send set=hup peer=/usr/sbin/dnsmasq,
> signal send set=(term,kill) peer=unconfined,
These are the ones needed in SLE15. Note that Jamie suggested changing the
signal rules to
signal (send) peer=/usr/sbin/dnsmasq,
signal (send) peer=libvirt-*,
> Also, several mount rules are needed - either as a generous "mount," rule
> (as proposed by intrigeri as a quick fix to allow mounting everything), or
> with the following detailed rules (which are more restrictive, but might
> still need some adjustments)
>
> mount options=(rw,rslave) -> /,
> mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
>
> mount options=(rw, move) /dev/ ->
> /{var/,}run/libvirt/qemu/*.dev/,
> mount options=(rw, move) /dev/hugepages/ ->
> /{var/,}run/libvirt/qemu/*.hugepages/,
> mount options=(rw, move) /dev/mqueue/ ->
> /{var/,}run/libvirt/qemu/*.mqueue/,
> mount options=(rw, move) /dev/pts/ ->
> /{var/,}run/libvirt/qemu/*.pts/,
> mount options=(rw, move) /dev/shm/ ->
> /{var/,}run/libvirt/qemu/*.shm/,
>
> mount options=(rw, move) /{var/,}run/libvirt/qemu/*.dev/ -> /dev/,
> mount options=(rw, move) /{var/,}run/libvirt/qemu/*.hugepages/ ->
> /dev/hugepages/,
> mount options=(rw, move) /{var/,}run/libvirt/qemu/*.mqueue/ ->
> /dev/mqueue/,
> mount options=(rw, move) /{var/,}run/libvirt/qemu/*.pts/ ->
> /dev/pts/,
> mount options=(rw, move) /{var/,}run/libvirt/qemu/*.shm/ ->
> /dev/shm/,
intrigeri included these rules in V3 of his series
https://www.redhat.com/archives/libvir-list/2017-November/msg00162.html
I think patch1 is fine and has essentially already been ACKed by Jamie. I'd
prefer Jamie's feedback on patch2 as well, since I'm far from an apparmor
expert.
Even though they are not yet committed upstream, I'll add these patches to the
Factory libvirt package so libvirt will actually work with latest TW and SLE15.