On 11/27/2017 08:01 AM, Jim Fehlig wrote:
On 11/23/2017 06:32 AM, Christian Boltz wrote:
Hello,
Am Mittwoch, 22. November 2017, 13:30:40 CET schrieb Michael Ströder:
It seems the kernel upgrade needs another modification to apparmor profile(s) for libvirtd:
type=VIRT_RESOURCE msg=audit(1511353655.324:343): pid=1528 uid=0 auid=4294967295 ses=4294967295 msg='virt=kvm resrc=cgroup reason=deny vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7 cgroup="/sys/fs/cgroup/devices/machine.slice/machine-qemu\x2d2\x2dae\x 2ddir\x2ddeb\x2dp1.scope/" class=all exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
A log line with apparmor="DENIED" would be more useful - do you have one? ;-)
Also, please file a bugreport - I'm not sure if Jim reads this ML.
Yes, I do, when I'm not on holidays :-).
WRT bugs, there's
https://bugzilla.opensuse.org/show_bug.cgi?id=1069562 https://bugzilla.opensuse.org/show_bug.cgi?id=1069903
If you are still seeing the problem with the fix for these bugs, please provide more info from /var/log/audit/audit.log as Christian requested.
I finally got around to updating my TW machine. Rather than trying kernel 4.14.1, I immediately installed kernel 4.14.2-3.1.gb5596a5 from http://download.opensuse.org/repositories/Kernel:/stable/standard/x86_64/ The only problem I noticed was the following when shutting down a confined VM type=AVC msg=audit(1512002299.742:131): apparmor="DENIED" operation="open" profile="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff" name="/proc/1475/cmdline" pid=2958 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=469 ouid=0 Adding the following rule to the libvirt-qemu abstraction squelches the denial @{PROC}/@{pid}/cmdline r, Christian, do you think that rule is satisfactory? If so, I'll submit it upstream. Thanks! Regards, Jim -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org