http://bugzilla.opensuse.org/show_bug.cgi?id=1131749 Bug ID: 1131749 Summary: apparmor prevents libvirt to attach-device Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.0 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: matwey.kornilov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Hello, I am running openSUSE Leap 15.0 libvirt-daemon-4.0.0-lp150.7.6.1.x86_64 apparmor-profiles-2.12.2-lp150.6.11.2.noarch When /usr/sbin/libvirtd is in enforced mode, I cannot attach host USB device to running virtual machine. When I try to use attach-device command in virsh console, I see "internal error: child reported: Kernel does not provide mount namespace: Permission denied" When /usr/sbin/libvirtd is in complain mode, then the device is attached successfully using attach-device command. The following lines from /var/log/audit/audit.log may be relevant to the issue: type=AVC msg=audit(1554525633.687:447): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/libvirtd" pid=6675 comm="apparmor_parser" type=AVC msg=audit(1554525633.707:448): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/libvirtd//qemu_bridge_helper" pid=6675 comm="apparmor_parser" type=AVC msg=audit(1554525683.639:449): apparmor="ALLOWED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=6693 comm="libvirtd" requested_mask="read" denied_mask="read" peer="unconfined" type=VIRT_RESOURCE msg=audit(1554525683.639:450): pid=1981 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=cgroup reason=allow vm="development_leap" uuid=04e2240b-63f9-40e4-a610-aff2d360e8bf cgroup="/sys/fs/cgroup/devices/machine/qemu-5-developmentleap.libvirt-qemu/" class=path path="/dev/bus/usb/001/005" rdev=BD:04 acl=rw exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1554525683.639:451): apparmor="ALLOWED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=6694 comm="libvirtd" requested_mask="read" denied_mask="read" peer="unconfined" type=VIRT_RESOURCE msg=audit(1554525683.643:452): pid=1981 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=dev reason=attach vm="development_leap" uuid=04e2240b-63f9-40e4-a610-aff2d360e8bf bus=usb device="001.005" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' -- You are receiving this mail because: You are on the CC list for the bug.