Ubuntu
libvirt package

  1. Bug #912007
  2. Comment #4

Comment 4 for bug 912007

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

For the record I've reproduced this.

Interestingly, /dev/dm-2 *is* in the allowed list. Following is the syslog entry:

Jan 5 10:07:11 sergelap kernel: [ 5768.408495] type=1400 audit(1325779631.010:95): apparmor="DENIED" operation="open" parent=1606 profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/dm-2" pid=13978 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jan 5 10:07:11 sergelap kernel: [ 5768.682389] type=1400 audit(1325779631.286:96): apparmor="STATUS" operation="profile_load" name="libvirt-defba839-e7fc-1290-17b4-d0e8c1e68296" pid=13985 comm="apparmor_parser"

So it is virt-aa-helper's profile which needs to be updated, not that of the VMs. In particular:

/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper