As for the /tmp and /var/tmp denials, Dave mentioned that adding the following rules silenced the denials:
/tmp/ r,
/var/tmp/ r,
I'm not a fan of those rules in general, because it gives the VMs read access to the directory and they can see what is in there. However I also don't want to break existing setups by adding an explicit deny rule that would block all access to /tmp and /var/tmp if the user updated policy for that or is putting disks in /tmp for testing environments.
As such I suggest the following:
1. for stable releases, add the following to /etc/apparmor.d/abstractions/libvirt-qemu:
/tmp/ r,
/var/tmp/ r,
2. for vivid, add the following to /etc/apparmor.d/abstractions/libvirt-qemu:
deny /tmp/{,**} r,
deny /var/tmp/{,**} r,
'1' is suitable for SRU since it only allows access where it wasn't allowed before. If we get bug reports in 15.04+ for '2', the proper solution is to have libvirt setup a vm-specific tmp dir, and have aa-virt-helper add this directory to the .files file for that VM.
As for the /tmp and /var/tmp denials, Dave mentioned that adding the following rules silenced the denials:
/tmp/ r,
/var/tmp/ r,
I'm not a fan of those rules in general, because it gives the VMs read access to the directory and they can see what is in there. However I also don't want to break existing setups by adding an explicit deny rule that would block all access to /tmp and /var/tmp if the user updated policy for that or is putting disks in /tmp for testing environments.
As such I suggest the following: d/abstractions/ libvirt- qemu: d/abstractions/ libvirt- qemu:
1. for stable releases, add the following to /etc/apparmor.
/tmp/ r,
/var/tmp/ r,
2. for vivid, add the following to /etc/apparmor.
deny /tmp/{,**} r,
deny /var/tmp/{,**} r,
'1' is suitable for SRU since it only allows access where it wasn't allowed before. If we get bug reports in 15.04+ for '2', the proper solution is to have libvirt setup a vm-specific tmp dir, and have aa-virt-helper add this directory to the .files file for that VM.