Control: retitle -1 libvirt-daemon: Deleting external snapshot for non-running system VM fails with AppArmor
when stracing libvirt, this is what happens: 6557 openat(AT_FDCWD, "/var/lib/libvirt/images/test2.qcow2", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied) 6557 sendmsg(13, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="{\"id\": \"libvirt-443\", \"error\": {\"class\": \"GenericError\", \"desc\ ": \"Could not open '/var/lib/libvirt/images/test2.qcow2': Permission denied\"}}\r\n", iov_len=142}], msg_iovlen=1, msg_controllen=0, msg_flags =0}, 0 <unfinished ...> and the most recent geteuid() call responded with "0". So it actually *does* smell like an AppArmor issue, even though it's weird that it would work for a running VM then. Running `aa-teardown` before the creation of the VM doesn't work, nor does "aa-complain libvirtd". But after `dpkg -P apparmor; reboot` it does work. So AppArmor breaks this without even logging about it, i.e. some "deny" rule. I don't know how to make AA log deny rules -- the profile has tons of them (albeit to /proc, /dev/, etc.), and it's further complicated by the dynamic profile creation through virt-aa-helper. As this works in current Ubuntu, it's perhaps worth looking at https://patches.ubuntu.com/libv/libvirt/libvirt_9.6.0-1ubuntu2.patch The most plausible one may be debian/patches/ubuntu-aa/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch but that requires rebuilding libvirt. But also, that patch is from 2017, and it's still broken in Ubuntu 22.04.