Mailinglist Archive: opensuse-factory (765 mails)

< Previous Next >
Re: [opensuse-factory] apparmor, kernel 4.14 and libvirtd
On 11/27/2017 08:01 AM, Jim Fehlig wrote:
On 11/23/2017 06:32 AM, Christian Boltz wrote:

Am Mittwoch, 22. November 2017, 13:30:40 CET schrieb Michael Ströder:
It seems the kernel upgrade needs another modification to apparmor
profile(s) for libvirtd:

type=VIRT_RESOURCE msg=audit(1511353655.324:343): pid=1528 uid=0
auid=4294967295 ses=4294967295 msg='virt=kvm resrc=cgroup reason=deny
vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7
2ddir\x2ddeb\x2dp1.scope/" class=all exe="/usr/sbin/libvirtd"
hostname=? addr=? terminal=? res=success'

A log line with   apparmor="DENIED"   would be more useful - do you have
one? ;-)

Also, please file a bugreport - I'm not sure if Jim reads this ML.

Yes, I do, when I'm not on holidays :-).

WRT bugs, there's

If you are still seeing the problem with the fix for these bugs, please provide more info from /var/log/audit/audit.log as Christian requested.

I finally got around to updating my TW machine. Rather than trying kernel 4.14.1, I immediately installed kernel 4.14.2-3.1.gb5596a5 from

The only problem I noticed was the following when shutting down a confined VM

type=AVC msg=audit(1512002299.742:131): apparmor="DENIED" operation="open" profile="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff" name="/proc/1475/cmdline" pid=2958 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=469 ouid=0

Adding the following rule to the libvirt-qemu abstraction squelches the denial

@{PROC}/@{pid}/cmdline r,

Christian, do you think that rule is satisfactory? If so, I'll submit it upstream. Thanks!

To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups