Comment 17 for bug 1719579

------- Comment From <email address hidden> 2018-02-19 03:35 EDT-------
> Get me right I use virsh save/restore on a regular base and it works in the paths that are open by default, > which are the places the images usually are from like /var/lib/libvirt/images/.

> If that does not work that might be a modified apparmor rule, but for that I'd need to know way more
> about the case and see if it is actually a bug or really just using an uncommon dir.

Even with uncommon dir, the denial should be consistent if the path used by the user is not permitted then apparmor should block/deny when virsh save is performed and not during the virsh restore.

Observation in Ubuntu 16.04.3,

# virsh save virt-tests-vm1 /var/tmp/virt-tests-vm1.save

Domain virt-tests-vm1 saved to /var/tmp/virt-tests-vm1.save

By default virsh restore fails with same error,
# virsh restore /var/tmp/virt-tests-vm1.save
error: Failed to restore domain from /var/tmp/virt-tests-vm1.save
error: operation failed: job: unexpectedly failed

But as suggested by paelzer,
> If you want to look into potential config issues, remove the silent denies to /var and /var temp
> at the end of "/etc/apparmor.d/abstractions/libvirt-qemu".
> Then run your case again, report back with

commenting denials,

# silence spurious denials (see lp#1403648)
deny /tmp/{,**} r,
# deny /var/tmp/{,**} r,

restart libvirtd

# virsh restore /var/tmp/virt-tests-vm1.save
error: Failed to restore domain from /var/tmp/virt-tests-vm1.save
error: internal error: Process exited prior to exec: libvirt: error : unable to set AppArmor profile 'libvirt-81b387d9-1dfc-4f55-8b98-0318f1f94442' for '/usr/bin/kvm': No such file or directory

But file exists,
# file /var/tmp/virt-tests-vm1.save
/var/tmp/virt-tests-vm1.save: Libvirt QEMU Suspend Image, version 2, XML length 1970, running

dmesg:
[Mon Feb 19 03:19:16 2018] virbr0: port 2(vnet0) entered blocking state
[Mon Feb 19 03:19:16 2018] virbr0: port 2(vnet0) entered disabled state
[Mon Feb 19 03:19:16 2018] device vnet0 entered promiscuous mode
[Mon Feb 19 03:19:16 2018] virbr0: port 2(vnet0) entered blocking state
[Mon Feb 19 03:19:16 2018] virbr0: port 2(vnet0) entered listening state
[Mon Feb 19 03:19:16 2018] audit: type=1400 audit(1519028363.683:12417): apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="/usr/sbin/libvirtd" name="libvirt-81b387d9-1dfc-4f55-8b98-0318f1f94442" pid=12949 comm="libvirtd"
[Mon Feb 19 03:19:16 2018] virbr0: port 2(vnet0) entered disabled state
[Mon Feb 19 03:19:16 2018] device vnet0 left promiscuous mode
[Mon Feb 19 03:19:16 2018] virbr0: port 2(vnet0) entered disabled state

Attaching full dmesg with this bugzilla

Environment:

Kernel
# uname -a
Linux ltc-test-ci1 4.13.0-35-generic #39~16.04.1-Ubuntu SMP Mon Feb 12 15:01:58 UTC 2018 ppc64le ppc64le ppc64le GNU/Linux

Libvirt
# dpkg -l | grep libvirt
ii libvirt-bin 1.3.1-1ubuntu10.18 ppc64el programs for the libvirt library
ii libvirt-dev:ppc64el 1.3.1-1ubuntu10.18 ppc64el development files for the libvirt library
ii libvirt0:ppc64el 1.3.1-1ubuntu10.18 ppc64el library for interfacing with different virtualization systems
ii python-libvirt 1.3.1-1ubuntu1.1 ppc64el libvirt Python bindings

Qemu
# dpkg -l | grep qemu
ii ipxe-qemu 1.0.0+git-20150424.a25a16d-1ubuntu1.2 all PXE boot firmware - ROM images for qemu
ii qemu-block-extra:ppc64el 1:2.5+dfsg-5ubuntu10.21 ppc64el extra block backend modules for qemu-system and qemu-utils
ii qemu-kvm 1:2.5+dfsg-5ubuntu10.21 ppc64el QEMU Full virtualization
ii qemu-slof 20151103+dfsg-1ubuntu1.1 all Slimline Open Firmware -- QEMU PowerPC version
ii qemu-system-common 1:2.5+dfsg-5ubuntu10.21 ppc64el QEMU full system emulation binaries (common files)
ii qemu-system-ppc 1:2.5+dfsg-5ubuntu10.21 ppc64el QEMU full system emulation binaries (ppc)
ii qemu-utils 1:2.5+dfsg-5ubuntu10.21 ppc64el QEMU utilities