Hello, Am Freitag, 15. September 2017, 12:12:31 CEST schrieb Michael Ströder:
Dominique Leuenberger wrote:
kernel-source (4.12.11 -> 4.13.1)
Maybe the apparmor changes in kernel 4.13.x cause issues with apparmor and qemu-kvm.
Right. The AppArmor developers at Canonical finally work on upstreaming all the kernel patches that were Ubuntu-only for years, and that means we finally get support for the (not-so-)new AppArmor rule types. (Some other changes were already in 4.11 and 4.12, but those were less user-visible.) As you can see, kernel 4.13 now supports and enforces ptrace rules ;-) Other "new" rule types are - dbus - mount - signal - pivot_root - unix Not all of them made it into 4.13. Kernel 4.14 will include most of them, and the last missing bits will go into 4.15. BTW: dbus, ptrace and signal rules are already supported by aa-logprof, and seeing the progress in getting everything upstream, I should probably spend some days on aa-logprof to also add support for pivot_root, unix and mount rules ;-)
With apparmor running I get:
# ae-dir-vm.sh start error: Failed to start domain ae-dir-suse-p1 error: internal error: child reported: Kernel does not provide mount namespace: Permission denied
With apparmor stopped the VM starts normally.
Sounds like https://bugzilla.opensuse.org/show_bug.cgi?id=1058847 - and that bugreport already includes the rule you need to add to the libvirtd profile. Please also check your /var/log/audit/audit.log (assuming you have auditd running, otherwise syslog or journal). If you see denials besides the two mentioned in the bugreport, please add them to the bugreport. Regards, Christian Boltz -- What do we learn from this: DO NOT use reiser4 with Suse Linux 10.0. Shred and wipe offer easier ways to get rid of your data. [nordi in opensuse] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org