On Sat, Apr 15, 2023 at 05:45:23PM +0200, Olaf Hering wrote:
For testing purposes I have variants of upstream qemu, which are supposed to be started via upstream libvirt.
Unfortunately, apparmor is denying executing these binaries:
type=AVC msg=audit(N.N:N): apparmor="DENIED" operation="exec" profile="libvirtd" name="/usr/lib64/qemu-6.2/bin/qemu-system-x86_64" pid=3956 comm="rpc-libvirtd" requested_mask="x" denied_mask="x" fsuid=475 ouid=0
Apparently adding this to /etc/apparmor.d/abstractions/libvirt-qemu is not enough:
/usr/lib64/qemu-6.2 r, /usr/lib64/qemu-6.2/bin r, /usr/lib64/qemu-6.2/bin/qemu-system-x86_64 rmix,
What needs to be done to permit execution, except 'systemctl stop apparmor && aa-teardown'?
If you edit textfiles directly, apparmor needs to reload the profile. e.g. restart apparmor. Ciao, marcus