Hi Yury, until implemented for real adding apparmor rules for the uncommon paths are the way to go. The difference I'd suggest to your solution is to use local overrides since they will neither prompt you nor be overwritten on updates.
This can be done in: # allow virt-aa-helper to generate per-guest rules in an uncommon path /etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper # allow things for an individual guests /etc/apparmor.d/libvirt/libvirt-<uuid> # allow something for all guests /etc/apparmor.d/local/abstractions/libvirt-qemu In the particular case the best way should be an entry like /srv/libvirt/images/** r, in /etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper That is especially good since each individual guest will still only get rules added to allow "his own storage" as configured in the guest XML. In your solution as comparison an exploited guest A could access the storage of guest B. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677398 Title: Apparmor prevents using storage pools and hostdev networks To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1677398/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
