apparmor, libvirt-qemu: Allow macvtap access
Bug #1704744 reported by
Christian Ehrhardt
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
apparmor, libvirt-qemu: Allow macvtap access
Add rule to allow access to /dev/tap* used by macvtap.
SubmissionInfo: should be fixed via virt-aa-helper
Old Bug-Ubuntu: https:/
tags: | added: virt-aa-helper |
Changed in libvirt (Ubuntu): | |
status: | New → Triaged |
To post a comment you must log in.
I found two styles to define, the latter being the more common one I knew.
Testing both to be sure.
1. macvtap via forward mode bridge network macvtap- net</name> 157ecf3d- 14fc-4157- ace9-9c7c055972 52</uuid>
<network>
<name>
<uuid>
<forward dev='eno2' mode='bridge'>
<interface dev='eno2'/>
</forward>
</network>
Then in the guest 'macvtap- net'/>
<interface type='network'>
<source network=
<model type='virtio'/>
</interface>
2. macvtap via direct guest interface
<interface type='direct' >
<source dev='eno3'/>
</interface>
Both work nowadays.
This already generates (changing as needed): d/libvirt/ libvirt- 26dedac7- b8de-4772- 9f59-a5bb962394 c5.files: 15: "/dev/tap12" rw, d/libvirt/ libvirt- 26dedac7- b8de-4772- 9f59-a5bb962394 c5.files: 16: "/dev/tap13" rw,
/etc/apparmor.
/etc/apparmor.
This is actually doen since ages via domainSetSecuri tyTapFDLabel -> AppArmorSetFDLabel. apparmor- libvirt- qemu-Allow- macvtap- access. patch:+ /dev/tap* rw,
Time to drop the following patch next merge:
0002-