Re: [opensuse-factory] apparmor, kernel 4.14 and libvirtd
Michael Ströder wrote:
Christian Boltz wrote:
Am Donnerstag, 30. November 2017, 01:40:30 CET schrieb Jim Fehlig:
The only problem I noticed was the following when shutting down a
confined VM

type=AVC msg=audit(1512002299.742:131): apparmor="DENIED"
name="/proc/1475/cmdline" pid=2958 comm="qemu-system-x86"
requested_mask="r" denied_mask="r" fsuid=469 ouid=0

Adding the following rule to the libvirt-qemu abstraction squelches
the denial

@{PROC}/@{pid}/cmdline r,

Christian, do you think that rule is satisfactory? If so, I'll submit
it upstream. Thanks!

Yes, this rule looks correct, so please submit it upstream ;-)

After updating to kernel to 4.14.2 I've tried to add the line

@{PROC}/@{pid}/cmdline r,

to file /etc/apparmor.d/abstractions/libvirt-qemu but still I get this
for virsh destroy <domain-name>:

type=AVC msg=audit(1512131425.439:1714): apparmor="DENIED"
operation="signal" profile="/usr/sbin/libvirtd" pid=6059 comm="libvirtd"
requested_mask="send" denied_mask="send" signal=term peer="unconfined"

And virsh start <domain-name> fails with:

type=AVC msg=audit(1512131645.930:1919): apparmor="DENIED"
operation="mount" info="failed mntpnt match" error=-13
profile="/usr/sbin/libvirtd" name="/" pid=7179 comm="libvirtd"
flags="rw, rslave"

Ciao, Michael.

