http://bugzilla.opensuse.org/show_bug.cgi?id=1203976 William Brown changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aherzig@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1203976 http://bugzilla.opensuse.org/show_bug.cgi?id=1203976#c2 --- Comment #2 from James Fehlig --- (In reply to William Brown from comment #0)

type=AVC msg=audit(1664852216.614:1786040): apparmor="DENIED" operation="open" profile="libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7" name="/var/lib/libvirt/qemu/nvram/alpdev_VARS.fd" pid=32565 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=471 ouid=471

This is with a machine set to "<os firmare='efi'>". The firmware is from qemu-ovmf. This is a supported value per:

virsh domcapabilities --machine pc-q35-6.2 | less

<os supported='yes'> <enum name='firmware'> <value>bios</value> <value>efi</value> </enum>

It appears that /var/lib/libvirt/qemu/nvram is missing from a read allow list in the dynamic apparmor rules.

cat /etc/apparmor.d/libvirt/libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7 # # This profile is for the domain whose UUID matches this file. #

#include

profile libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7 flags=(attach_disconnected) { #include #include

}

It is likely that the nvram rule needs to be added to the generated .files that is in use.

The libvirt-qemu abstraction should provide rules for those files. Does yours have /usr/share/qemu/** r, owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk, -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1203976 http://bugzilla.opensuse.org/show_bug.cgi?id=1203976#c4 James Fehlig changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #4 from James Fehlig --- (In reply to William Brown from comment #3)

This is leap 15.4, fully updated.

Opps, I missed that and was checking Factory. We'll need commit 7aec69b7fb9 for libvirt 8.0.0 in 15.4. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1203976 http://bugzilla.opensuse.org/show_bug.cgi?id=1203976#c6 James Fehlig changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #6 from James Fehlig --- I've added the patch to the libvirt package in our 15sp4 devel project https://build.suse.de/package/show/Devel:Virt:SLE-15-SP4/libvirt A maintenance update for libvirt is overdue, so I've submitted it to SUSE:SLE-15-SP4:Update, sr#281925. -- You are receiving this mail because: You are on the CC list for the bug.