Mailinglist Archive: opensuse-factory (454 mails)

< Previous Next >
Re: [opensuse-factory] apparmor, kernel 4.14 and libvirtd
Christian Boltz wrote:
Am Donnerstag, 30. November 2017, 01:40:30 CET schrieb Jim Fehlig:
The only problem I noticed was the following when shutting down a
confined VM

type=AVC msg=audit(1512002299.742:131): apparmor="DENIED"
operation="open"
profile="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
name="/proc/1475/cmdline" pid=2958 comm="qemu-system-x86"
requested_mask="r" denied_mask="r" fsuid=469 ouid=0

Adding the following rule to the libvirt-qemu abstraction squelches
the denial

@{PROC}/@{pid}/cmdline r,

Christian, do you think that rule is satisfactory? If so, I'll submit
it upstream. Thanks!

Yes, this rule looks correct, so please submit it upstream ;-)

After updating to kernel to 4.14.2 I've tried to add the line

@{PROC}/@{pid}/cmdline r,

to file /etc/apparmor.d/abstractions/libvirt-qemu but still I get this
for virsh destroy <domain-name>:

type=AVC msg=audit(1512131425.439:1714): apparmor="DENIED"
operation="signal" profile="/usr/sbin/libvirtd" pid=6059 comm="libvirtd"
requested_mask="send" denied_mask="send" signal=term peer="unconfined"

Ciao, Michael.

< Previous Next >
Follow Ups