Michael Ströder wrote:
Christian Boltz wrote:
Am Donnerstag, 30. November 2017, 01:40:30 CET schrieb Jim Fehlig:
The only problem I noticed was the following when shutting down a confined VM
type=AVC msg=audit(1512002299.742:131): apparmor="DENIED" operation="open" profile="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff" name="/proc/1475/cmdline" pid=2958 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=469 ouid=0
Adding the following rule to the libvirt-qemu abstraction squelches the denial
@{PROC}/@{pid}/cmdline r,
Christian, do you think that rule is satisfactory? If so, I'll submit it upstream. Thanks!
Yes, this rule looks correct, so please submit it upstream ;-)
After updating to kernel to 4.14.2 I've tried to add the line
@{PROC}/@{pid}/cmdline r,
to file /etc/apparmor.d/abstractions/libvirt-qemu but still I get this for virsh destroy <domain-name>:
type=AVC msg=audit(1512131425.439:1714): apparmor="DENIED" operation="signal" profile="/usr/sbin/libvirtd" pid=6059 comm="libvirtd" requested_mask="send" denied_mask="send" signal=term peer="unconfined"
And virsh start <domain-name> fails with: type=AVC msg=audit(1512131645.930:1919): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="/usr/sbin/libvirtd" name="/" pid=7179 comm="libvirtd" flags="rw, rslave" Ciao, Michael.