Hi Simon,
those changes (the whole part after "/sys/devices/** r,") never made it
upstream and was actually dropped in the merge of libvirt 2.x for Yakkety.
Maybe that also moved and this is "only" needed in Xenial and actually fixed in
>=Yakkety already?
And looking back - nobody complained on the yakkety merge that smb did - hrm ..?
Eventually (like some day) we want to get rid of apparmor delta and that was
one step.
I also checked History backwards but things are a bit lost since for some time
Ubuntu was ahead of Debian before switching to the more usual setup.
I almost couldn't find the past but I realized you know the history of this -
as I found bug 912007 from you of 2012.
I checked a Yakkety that I had around which did not have the denies as I
outlined before.
So following the old bug content I realized it might need special devices. So
to reproduce on Yakkety (what I just had around) I added disks on lvm and nvme
to see if I can find it:
<disk type='file' device='disk'>
<driver name='qemu' type='raw' cache='none'/>
<source file='/dev/mapper/testvg-testlv'/>
<target dev='vdc' bus='virtio'/>
</disk>
<disk type='file' device='disk'>
<driver name='qemu' type='raw' cache='none'/>
<source file='/dev/nvme0n1'/>
<target dev='vdd' bus='virtio'/>
</disk>
The LV was silent - although I failed to see what was done in the profile for
it.
The nveme I found and I think that is because it is new and not covered yet,
the same way zfs might not be there yet. I need to find the spot that makes the
"ok" to the LVM as this is clearly the place to add it on newer versions.
Simon:
- Can you describe the "noise" it makes to you?
- Having the old rules you were on Xenial right?
- Does it match what I found?
- The old bug only has "Per discussion on irc, I'll add a deny rule to
usr.lib.libvirt.virt-aa-helper", but I don't really get why it is a deny and
not an allow - could you elaborate on that?
** Changed in: libvirt (Ubuntu)
Status: New => Confirmed
** Changed in: libvirt (Ubuntu)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1641618
Title:
Apparmor denials caused by virt-aa-helper trying to read zvol devices
(/dev/zdX) should be silenced
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1641618/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
