Hi, On Thu, Aug 03, 2017 at 10:48:47AM -0400, intrigeri wrote: > Hi, > > Guido Günther: > > According to > > > https://www.redhat.com/archives/libvir-list/2017-March/msg01612.html > > > on Jessie with > > > Kernel 4.9.11 > > Apparmor 2.10 > > > unbreaks attaching disks. > > for the record, the Linux kernel commit John referred to (ec34fa2) > made it into Linux 4.8. > > Sadly, it seems that some aspect of reloading profiles is still > somewhat broken for me on current sid, either in the parser or in the > kernel (tested on apparmor 2.11.0-6+b2, Linux 4.11.0-2-amd64 version > 4.11.11-1+b1). > > I've used the same testing procedure as Guido > (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002#109), i.e. > without involving virt-aa-helper. > > I see a denial logged: > > AVC apparmor="DENIED" operation="open" > profile="libvirt-213ff882-ce4b-035d-e2b1-9059d66cd67d" > name="/var/lib/libvirt/images/Jessie.qcow2" pid=20033 > comm="qemu-system-x86" requested_mask="rw" denied_mask="rw" > fsuid=119 ouid=119 > > … while apparmor_parser --debug -r > libvirt-213ff882-ce4b-035d-e2b1-9059d66cd67d > says access is allowed: > > Mode: rwa:rwa Name: (/var/lib/libvirt/images/Jessie.qcow2) > > John, is there anything I can do on my side to help debug this? > > Guido, Frank, Carlo: can you reproduce my results on Stretch and/or > current sid?
Yes, I can still reproduce this on Buster. Cheers, -- Guido