I'm not entirely sure if the pathing for the XDG things is correct in libvirt.
The usual rule from mesa  [1] would be:
  owner @{HOME}/.cache/ w, # if user clears all caches

But that does not work as user is libvirt-qemu which has a home in 
/var/lib/libvirt
  libvirt-qemu:x:108:135:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false

But the rule above does not fix the following issue:
apparmor="DENIED" operation="mkdir" 
profile="libvirt-2f6bde7c-1d3d-498a-b96c-8920f165fa4c" 
name="/var/lib/libvirt/.cache/" pid=12056 comm="qemu-system-x86" 
requested_mask="c" denied_mask="c" fsuid=108 ouid=108

fsuid == ouid == 108 matches the user id.
The path matches what I'd expect

And the file for the guest has the rule rendered:
  owner "@{HOME}/.cache/" w

Why does this still fail?!

[1]:
https://gitlab.com/apparmor/apparmor/blob/master/profiles/apparmor.d/abstractions/mesa

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1815452

Title:
  more apparmor denials for opengl usage

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1815452/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to