http://bugzilla.opensuse.org/show_bug.cgi?id=1045158 http://bugzilla.opensuse.org/show_bug.cgi?id=1045158#c1 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |alarrosa@suse.com, | |jfehlig@suse.com, | |lyan@suse.com Flags| |needinfo?(alarrosa@suse.com | |) --- Comment #1 from Christian Boltz --- The libvirt AppArmor profiles are shipped in the libvirt packages, therefore I'm CC'ing the libvirt maintainers. To find out what the problem is, can you please attach your /var/log/audit/audit.log? (If you don't have auditd running, check /var/log/messages, journal and/or the dmesg output for AppArmor messages.) (In reply to Antonio Larrosa from comment #0)

Once I stopped apparmor with systemctl stop apparmor.service, virtual machines can be started fine. If I start apparmor afterwards, I can stop and start virtual machines correctly, but if I do: systemctl restart libvirtd with apparmor running, then I can't run virtual machines anymore.

That's easy to explain - by stopping AppArmor, you remove the confinement from running processes, and "rcapparmor start" isn't able to (re-)confine running processes (unless you restart those processes). That's why AppArmor gets in your way again after restarting libvirtd. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1045158 http://bugzilla.opensuse.org/show_bug.cgi?id=1045158#c3 --- Comment #3 from Antonio Larrosa --- (In reply to Christian Boltz from comment #1)

The libvirt AppArmor profiles are shipped in the libvirt packages, therefore I'm CC'ing the libvirt maintainers.

Ah, thanks for the information, I didn't notice that. Just fyi, I did:

md5sum /etc/apparmor.d/abstractions/libvirt-lxc /etc/apparmor.d/abstractions/libvirt-qemu /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper /etc/apparmor.d/usr.sbin.libvirtd b0dbd7b35a91314b592474772fe17cb8 /etc/apparmor.d/abstractions/libvirt-lxc 18809bf3afe854b2434e71ee6780988d /etc/apparmor.d/abstractions/libvirt-qemu 2424ab5112f759d7f17c2fdf508c1000 /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper f4609c49e7bbee160b13b5001f5a55e4 /etc/apparmor.d/usr.sbin.libvirtd

And they're the same in my Leap 42.3 and TW systems. Which was completely unexpected.

To find out what the problem is, can you please attach your /var/log/audit/audit.log? (If you don't have auditd running, check /var/log/messages, journal and/or the dmesg output for AppArmor messages.)

Done -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1045158 http://bugzilla.opensuse.org/show_bug.cgi?id=1045158#c5 --- Comment #5 from Antonio Larrosa --- (In reply to Christian Boltz from comment #4)

The relevant log line is

... apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/libvirtd" name="" ...

This means the libvirtd profile needs the attach_disconnected flag: /usr/sbin/libvirtd (flags=attach_disconnected) {

Does libvirt work after adding the flag and "systemctl reload apparmor"?

Hmm, I think you meant /usr/sbin/libvirtd flags=(attach_disconnected) { right? I'm afraid the flag was already there, so it must be something else. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1045158 http://bugzilla.opensuse.org/show_bug.cgi?id=1045158#c7 --- Comment #7 from Christian Boltz --- I just checked the package, and the libvirtd profile indeed already includes the attach_disconnected flag - which also means you shouldn't see the message you've seen ;-) Antonio, do you still see this problem? If so, does it work after switching the profile to complain mode? If you answer one of these questions with yes, please attach a fresh audit.log and the output of rpm -Vf libvirt-daemon -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1045158 http://bugzilla.opensuse.org/show_bug.cgi?id=1045158#c9 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |INVALID --- Comment #9 from Christian Boltz --- Thanks for the feedback! I'll close this bug (the attach_disconnected flag which I'd expect to fix this is already in place), but if you see this again, feel free to reopen ;-) -- You are receiving this mail because: You are on the CC list for the bug.