http://bugzilla.opensuse.org/show_bug.cgi?id=1202191 http://bugzilla.opensuse.org/show_bug.cgi?id=1202191#c12 Andy Millman <andy_millman@yahoo.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #12 from Andy Millman <andy_millman@yahoo.co.uk> --- (In reply to Christian Boltz from comment #11)
The libvirtd profile contains /usr/libexec/* PUxr, which should allow to execute everything in /usr/libexec/ (even if no profile exists for it, in this case it will run unconfined).
Please check if your /etc/apparmor.d/usr.sbin.libvirtd really includes that rule (should be in line 109).
Yes it includes that line.
(IMHO that rule is too broad and insecure given the large amount of binaries in /usr/libexec/, but that's another topic.)
Please also show the output of ls -l /etc/apparmor.d/usr*virt* /var/cache/apparmor/*/usr*virt*
Wild guess: if your (renamed) usr.sbin.libvirtd kept the timestamp from the rpm, your profile cache might still have a cache file of the previous profile. The above "ls -l" will show that. You can try touch /etc/apparmor.d/usr.sbin.libvirtd ; rcapparmor reload to ensure the cache gets updated - but please do that only _after_ saving the "ls -l" output.
Ok you guessed the correct issue! It was cacheing an old copy of the file. The touch command fixed everything. Sincere thanks for your help in tracking down and helping to fix this issue. Much appreciated! Also sincere thanks to James Fehlig for all the help. Much appreciated! -- You are receiving this mail because: You are on the CC list for the bug.