Hello, Am Samstag, 15. April 2023, 17:45:23 CEST schrieb Olaf Hering:
For testing purposes I have variants of upstream qemu, which are supposed to be started via upstream libvirt.
Unfortunately, apparmor is denying executing these binaries:
type=AVC msg=audit(N.N:N): apparmor="DENIED" operation="exec" profile="libvirtd" name="/usr/lib64/qemu-6.2/bin/qemu-system-x86_64" pid=3956 comm="rpc-libvirtd" requested_mask="x" denied_mask="x" fsuid=475 ouid=0
Apparently adding this to /etc/apparmor.d/abstractions/libvirt-qemu is not enough:
/usr/lib64/qemu-6.2 r, /usr/lib64/qemu-6.2/bin r,
These two rules are about directories, and slightly wrong. If you want to allow reading these directories (= directory listing), you'll need a trainling slash to indicate that the rule is about a directory, for example /usr/lib64/qemu-6.2/ r, That said - I'd guess that you don't need these two rules (unless your audit.log tells you that libvirtd really needs to read the directory listing).
/usr/lib64/qemu-6.2/bin/qemu-system-x86_64 rmix,
What needs to be done to permit execution, except 'systemctl stop apparmor && aa-teardown'?
I'd recommend to edit the correct file ;-) The libvirtd profile (checked in Tumbleweed) only includes abstractions/base and abstractions/dbus (but not abstractions/libvirt-qemu), therefore you'll need to edit /etc/apparmor.d/usr.sbin.libvirtd directly and add the mrix rule there. For completeness: abstractions/libvirt-qemu "only" gets used in /etc/apparmor.d/libvirt/TEMPLATE.qemu (and in profiles generated from this template). BTW: Completely disabling AppArmor is like using a sledge hammer ;-) Instead, you can switch an individual profile into complain mode (= learning mode, allows everything and logs what would be denied), or in worst case use aa-disable to disable a single profile. Regards, Christian Boltz -- Next I can reboot and install witouth the need to burn a DVD. Remember that then [the local installation source] should be on a partition you are not going to format, because it is very hard to read data from a partition you just formatted. ;-) [houghi in opensuse]