Public bug reported: Since Cockpit's "ubuntu stable" VM image got updated from Ubuntu 17.04 to 17.10, the libvirt tests now cause several instances of this AppArmor denial:
Nov 02 10:19:28 unassigned-hostname audit[1347]: AVC apparmor="DENIED" operation="open" profile="libvirt-7d476386-ebe3-46fc-b6fc-3afcf7e4346f" name="/sys/devices/pci0000:00/0000:00:02.0/virtio0/host2/target2:0:2/2:0:2:0/block/sda/queue/max_segments" pid=1347 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 It does not actually break anything, but QEMU might use this for some optimizations? Reading this kind of hardware information from /sys seems harmless and useful enough to allow it in the profile. Note: This seems to be a race condition, I cannot trivially reproduce it locally. Thus the extra Apport information here does not contain the violation. But I attach the journal from an instance that does. ProblemType: Bug DistroRelease: Ubuntu 17.10 Package: libvirt-daemon 3.6.0-1ubuntu5 ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4 Uname: Linux 4.13.0-16-generic x86_64 ApportVersion: 2.20.7-0ubuntu3 Architecture: amd64 Date: Thu Nov 2 11:11:02 2017 SourcePackage: libvirt UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: libvirt (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apparmor apport-bug artful ** Attachment added: "journal" https://bugs.launchpad.net/bugs/1729626/+attachment/5002489/+files/TestMachines-testInlineConsole-ubuntu-stable-127.0.0.2-2801-FAIL.log ** Tags added: apparmor -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1729626 Title: AppArmor denies access to /sys/block/*/queue/max_segments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1729626/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs