libvirt apparmor profile blocks access to ceph config file if cluster name is not "ceph"

Hi I'm clearing out old bugs that were forgotten somewhere/somehow - I beg your pardon for the lack of activity ...

On this one I wonder why this isn't more impactful if that is a common problem.

As of today the rule still is:
  /etc/ceph/ceph.conf r,
in file
  src/security/apparmor/libvirt-qemu

For my lack of ceph knowledge I have pinged a few friends who know more.
If your statement is true that the filename changes we should indeed fix that (firsut upstream then, but that is a detail).

Just naively looking into the code I see ceph.conf all around but no variable/replacement.
For example the services are static
debian/lib-systemd/system/ceph-osd@.service:11:Environment=CONFIG=/etc/ceph/ceph.conf
debian/lib-systemd/system/ceph-create-keys.service:7:Environment=CONFIG=/etc/ceph/ceph.conf

But then I found
https://docs.ceph.com/en/mimic/rados/configuration/common/#running-multiple-clusters

Which clearly confirms:
"When you run multiple clusters, you must name your cluster and save the Ceph configuration file with the name of the cluster. For example, a cluster named openstack will have a Ceph configuration file with the file name openstack.conf in the /etc/ceph default directory."

Due to various other tasks I might need a few weeks to make progress on this, but after all that time a few weeks do not matter too much :-/

I've written the rule and submitted it upstream.
Let us see what the feedback there will be.

=> https://listman.redhat.com/archives/libvir-list/2021-October/msg00183.html

Accepted https://gitlab.com/libvirt/libvirt/-/commit/e3c5a8ec735ac62817d6d4c42e89720cbbfeaf9c

We will pick this up with the merge of libvirt for Ubuntu 22.04

TODO's cleared for now until next merge for 22.04, dropping the tag.

FYI - as planned part of the merge of 8.0.0 for jammy in bug 1946869

This bug was fixed in the package libvirt - 8.0.0-1ubuntu3

---------------
libvirt (8.0.0-1ubuntu3) jammy; urgency=medium

  * Revert "d/rules, d/libvirt-daemon-system.{postinst,prerm}: never stop
    system services and sockets."
    Due to the fix being in debhelper we no more need this mitigation now.
    (LP: #1959054)

libvirt (8.0.0-1ubuntu2) jammy; urgency=medium

  * No-change rebuild to update maintainer scripts, see LP: 1959054

libvirt (8.0.0-1ubuntu1) jammy; urgency=medium

  * Merge 8.0.0 from Debian unstable (LP: #1946869)
    Among many other fixes and improvements this fixes ceph usage
    in regard to apparmor (LP: #1588576)
    Remaining changes:
    - libvirt-uri.sh: Automatically switch default libvirt URI for users
      via user profile (xen URI on dom0, qemu:///system otherwise)
      [contains lintian fixups of 6.6.0-1ubuntu1]
    - Disable libssh2 support (universe dependency)
    - d/control: add libzfslinux-dev to build-deps
    - d/control: drop libvirt-lxc, vbox and xen drivers to suggest
    - d/control: breaks replaces for augeas lenses move in 6.0.0-1
      (follows Debian, droppable >22.04)
    - debian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI
      Secure Boot enabled variants of the OVMF firmware and variable store for
      the paths where we ship these files in Ubuntu.
    - Set qemu-group to kvm (for compat with older ubuntu)
    - Additional apport package-hook
    - Autostart default bridged network (As upstream does, but not Debian).
      In addition to just enabling it our solution provides:
      + do not autostart if subnet is already taken (e.g. in guests).
      + iterate some alternative subnets before giving up
    - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is
      the group based access to libvirt functions as it was used in Ubuntu
      for quite a long time.
      + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests
        due to the group access change.
      + d/libvirt-daemon-system.postinst: add users in sudo to the libvirt
        group.
    - d/p/u/parallel-shutdown.patch: set parallel shutdown by default.
    - Update README.Debian with Ubuntu changes
    - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx
    - fix autopkgtests (LP 1899180)
      + d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making
        vmlinuz available and accessible (Debian bug 848314)
      + d/t/control: fix smoke-qemu-session by ensuring the service will run
        installing libvirt-daemon-system
      + d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as
        long as the following undefine succeeds
      + d/t/smoke-lxc: use systemd instead of sysV to restart the service
      + d/t/control, d/t/smoke-lxc: retry service restart and skip test if
        failing; This was flaky on some release/architectures
      + d/t/smoke-lxc: retry check_domain being flaky on arm64
    - dnsmasq related enhancements
      [now contains dnsmasq-as-priv-user of 6.6.0-1ubuntu1]
      + run dnsmasq as libvirt-dnsmasq (LP: 1743718)
      + d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user...