[Bug 1203976] New: libvirt fails to start machine with efi due to missing apparmor rules
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1203976
Bug ID: 1203976
Summary: libvirt fails to start machine with efi due to missing
apparmor rules
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 15.4
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Virtualization:Other
Assignee: virt-bugs@suse.de
Reporter: william.brown@suse.com
QA Contact: qa-bugs@suse.de
Found By: ---
Blocker: ---
type=AVC msg=audit(1664852216.614:1786040): apparmor="DENIED" operation="open"
profile="libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7"
name="/var/lib/libvirt/qemu/nvram/alpdev_VARS.fd" pid=32565
comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=471 ouid=471
This is with a machine set to "<os firmare='efi'>". The firmware is from
qemu-ovmf. This is a supported value per:
virsh domcapabilities --machine pc-q35-6.2 | less
<os supported='yes'>
<enum name='firmware'>
<value>bios</value>
<value>efi</value>
</enum>
It appears that /var/lib/libvirt/qemu/nvram is missing from a read allow list
in the dynamic apparmor rules.
cat /etc/apparmor.d/libvirt/libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7
#
# This profile is for the domain whose UUID matches this file.
#
#include
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1203976
William Brown
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1203976
http://bugzilla.opensuse.org/show_bug.cgi?id=1203976#c1
--- Comment #1 from William Brown
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1203976
http://bugzilla.opensuse.org/show_bug.cgi?id=1203976#c2
--- Comment #2 from James Fehlig
type=AVC msg=audit(1664852216.614:1786040): apparmor="DENIED" operation="open" profile="libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7" name="/var/lib/libvirt/qemu/nvram/alpdev_VARS.fd" pid=32565 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=471 ouid=471
This is with a machine set to "<os firmare='efi'>". The firmware is from qemu-ovmf. This is a supported value per:
virsh domcapabilities --machine pc-q35-6.2 | less
<os supported='yes'> <enum name='firmware'> <value>bios</value> <value>efi</value> </enum>
It appears that /var/lib/libvirt/qemu/nvram is missing from a read allow list in the dynamic apparmor rules.
cat /etc/apparmor.d/libvirt/libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7 # # This profile is for the domain whose UUID matches this file. #
#include
profile libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7 flags=(attach_disconnected) { #include
#include }
It is likely that the nvram rule needs to be added to the generated .files that is in use.
The libvirt-qemu abstraction should provide rules for those files. Does yours have /usr/share/qemu/** r, owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk, -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1203976
http://bugzilla.opensuse.org/show_bug.cgi?id=1203976#c3
--- Comment #3 from William Brown
The libvirt-qemu abstraction should provide rules for those files. Does yours have
/usr/share/qemu/** r, owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk,
Nope, those rules don't exist. This is leap 15.4, fully updated. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1203976
http://bugzilla.opensuse.org/show_bug.cgi?id=1203976#c4
James Fehlig
This is leap 15.4, fully updated.
Opps, I missed that and was checking Factory. We'll need commit 7aec69b7fb9 for libvirt 8.0.0 in 15.4. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1203976
http://bugzilla.opensuse.org/show_bug.cgi?id=1203976#c5
--- Comment #5 from William Brown
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1203976
http://bugzilla.opensuse.org/show_bug.cgi?id=1203976#c6
James Fehlig
participants (1)
-
bugzilla_noreply@suse.com