[Bug 1655111] Re: LibVirt Apparmor profile has qemu-bridge-helper listed in the wrong directory

Bart Staal Wed, 29 Jan 2020 14:56:23 -0800

I'm using qemu-bridge-helper already for a while. Since updating to
19.10 libvirtd suddenly refused to start my VMs. Turned out to be caused
by apparmor, I found these log messages:


audit: type=1400 audit(1580253669.262:100): apparmor="DENIED" 
operation="file_inherit" profile="libvirtd//qemu_bridge_helper" pid=5629 
comm="qemu-bridge-hel" family="unix" sock_type="stream" protocol=0 
requested_mask="send receive" denied_mask="send receive" addr=none 
peer_addr=none peer="libvirtd"
audit: type=1400 audit(1580253669.262:101): apparmor="DENIED" 
operation="file_inherit" profile="libvirtd" pid=5629 comm="qemu-bridge-hel" 
family="unix" sock_type="stream" protocol=0 requested_mask="send receive" 
denied_mask="send receive" addr=none peer_addr=none 
peer="libvirtd//qemu_bridge_helper"
audit: type=1400 audit(1580253669.262:102): apparmor="DENIED" 
operation="signal" profile="libvirtd" pid=3118 comm="libvirtd" 
requested_mask="send" denied_mask="send" signal=term 
peer="libvirtd//qemu_bridge_helper"


For me the following change below the issue. I've barely any idea what I'm 
doing, never wrote apparmor profiles before. So probably this patch needs a bit 
of fine-tuning.

--- usr.sbin.libvirtd-orig      2020-01-29 22:52:27.257908332 +0100
+++ usr.sbin.libvirtd   2020-01-29 22:45:42.358642382 +0100
@@ -62,8 +62,10 @@
   signal (send) set=("kill", "term") peer=unconfined,
 
   # For communication/control to qemu-bridge-helper
-  unix (send, receive) type=stream addr=none 
peer=(label=/usr/sbin/libvirtd//qemu_bridge_helper),
-  signal (send) set=("term") peer=/usr/sbin/libvirtd//qemu_bridge_helper,
+  unix (send, receive) type=stream addr=none 
peer=(label=libvirtd//qemu_bridge_helper),
+  signal (send) set=("term") peer=libvirtd//qemu_bridge_helper,
 
   # allow connect with openGraphicsFD, direction reversed in newer versions
   unix (send, receive) type=stream addr=none 
peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
@@ -122,7 +124,8 @@
    network inet stream,
 
    # For communication/control from libvirtd
-   unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
+   unix (send, receive) type=stream addr=none peer=(label=libvirtd),
    signal (receive) set=("term") peer=/usr/sbin/libvirtd,
    signal (receive) set=("term") peer=libvirtd,

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1655111

Title:
  LibVirt Apparmor profile has qemu-bridge-helper listed in the wrong
  directory

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1655111/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1655111] Re: LibVirt Apparmor profile has qemu-bridge-helper listed in the wrong directory

Reply via email to