Bug 1070914 - libvirt-* AppArmor profile doesn't allow /proc/*/cmdline
libvirt-* AppArmor profile doesn't allow /proc/*/cmdline
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Virtualization:Other
Current
Other openSUSE 42.2
: P5 - None : Normal (vote)
: ---
Assigned To: James Fehlig
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-12-03 17:33 UTC by Christian Boltz
Modified: 2017-12-04 19:49 UTC (History)
0 users

See Also:
Found By: Beta-Customer
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Boltz 2017-12-03 17:33:27 UTC
After enabling security_default_confined in /etc/libvirt/qemu.conf, I see this AppArmor denial:

type=AVC msg=audit(1512321742.432:6607): apparmor="DENIED" operation="open" profile="libvirt-ed0e8433-073f-4dfb-823c-e553399d21aa" name="/proc/21094/cmdline" pid=23579 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=297 ouid=0

Please add
    @{PROC}/@{pids}/cmdline r,
to the profile template profile template to fix this.
Comment 1 James Fehlig 2017-12-04 19:18:22 UTC
I committed the fix upstream just in time for 3.10.0 release. Submitted to Factory as SR#548220.