As I assumed easily reproducible [ 7152.173377] audit: type=1400 audit(1560925171.038:439): apparmor="DENIED" operation="file_r50-221da1d95974" pid=18422 comm ="qemu-system-x86" family="unix" sock_type="stream" protocol=0 "
Compared to other denies this is really rather low on extra qualifiers - I see why you just added "unix," for now :-/ We used to have this for the past few releases: unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), The peer detection is gone now, I have now good idea why, but essentially for libvirt 4.0 we have to trim the rule to unix (send, receive) type=stream addr=none, Which still a rather (too) open rule. Further I have realized that your systems (which are Eoan, while I'm eoan LXD on Bionic+HWE 4.18) actually detect a peer, but with the path changed. - kernel 5.0.0-16 (Eoan) peer="libvirtd" - kernel 4.18 (Bionic + HWE) no peer detected - older libvirt peer=(label=/usr/sbin/libvirtd) I started a discussion in #security if nothing comes back I'll set jdstrand to CC anyway when submitting something upstream, maybe he has an idea why the peer detection was changed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1833040 Title: virt-manager fails to show virtual console: internal error: unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1833040/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
