Mailinglist Archive: opensuse-factory (421 mails)

< Previous Next >
Re: [opensuse-factory] apparmor, qemu-kvm and kernel 4.13.x (was: New Tumbleweed snapshot 20170913 released!)

Am Freitag, 15. September 2017, 12:12:31 CEST schrieb Michael Ströder:
Dominique Leuenberger wrote:
kernel-source (4.12.11 -> 4.13.1)

Maybe the apparmor changes in kernel 4.13.x cause issues with
apparmor and qemu-kvm.

Right. The AppArmor developers at Canonical finally work on upstreaming
all the kernel patches that were Ubuntu-only for years, and that means
we finally get support for the (not-so-)new AppArmor rule types.
(Some other changes were already in 4.11 and 4.12, but those were less

As you can see, kernel 4.13 now supports and enforces ptrace rules ;-)

Other "new" rule types are
- dbus
- mount
- signal
- pivot_root
- unix

Not all of them made it into 4.13. Kernel 4.14 will include most of
them, and the last missing bits will go into 4.15.

BTW: dbus, ptrace and signal rules are already supported by aa-logprof,
and seeing the progress in getting everything upstream, I should
probably spend some days on aa-logprof to also add support for
pivot_root, unix and mount rules ;-)

With apparmor running I get:

# start
error: Failed to start domain ae-dir-suse-p1
error: internal error: child reported: Kernel does not provide
mount namespace: Permission denied

With apparmor stopped the VM starts normally.

Sounds like - and
that bugreport already includes the rule you need to add to the libvirtd

Please also check your /var/log/audit/audit.log (assuming you have
auditd running, otherwise syslog or journal). If you see denials besides
the two mentioned in the bugreport, please add them to the bugreport.


Christian Boltz
What do we learn from this: DO NOT use reiser4 with Suse Linux 10.0.
Shred and wipe offer easier ways to get rid of your data.
[nordi in opensuse]

To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups