Again at:
sudo virsh start yakkety-doubleseclabel
error: Failed to start domain yakkety-doubleseclabel
error: internal error: cannot load AppArmor profile 'libvirt-8746b00d-aad1-4346-8784-2d4331465153'
In the log I found the related:
Okt 27 13:45:50 horsea libvirtd[10370]: internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -p 0 -r -u libvirt-8746b00d-aad1-4346-8784-2d4331465153) unexpected exit status 1: 2016-10-27 13:45:20.873+0000: 10640: info : libvirt version: 2.1.0, package: 1ubuntu10~ppa3 (Christian Ehrhardt <email address hidden> Mon, 24 Oct 2016 14:21:36 +0200) 2016-10-27 13:45:20.873+0000: 10640: info : hostname: horsea 2016-10-27 13:45:20.873+0000: 10640: error : virSecurityLabelDefParseXML:6473 : XML error: security label is missing virt-aa-helper: error: could not parse XML virt-aa-helper: error: could not get VM definition
Okt 27 13:45:50 horsea libvirtd[10370]: internal error: cannot load AppArmor profile 'libvirt-8746b00d-aad1-4346-8784-2d4331465153'
Okt 27 13:45:50 horsea virtlogd[7706]: End of file while reading data: Input/output error
I also found that adding dac alone is enough to trigger:
$ virsh dumpxml yakkety-sec-app | grep -A 20 seclabel
<seclabel type='dynamic' model='apparmor' relabel='yes'/>
</domain>
=> Working
$ virsh dumpxml yakkety-sec-dac | grep -A 20 seclabel
<seclabel type='dynamic' model='dac' relabel='yes'/>
</domain>
=> Failing just as much as case 1, maybe because apparmor is default on.
Trying to check the /usr/lib/libvirt/virt-aa-helper in those cases, but since it is not meant to be called directly that is a bit tricky.
Again at: doubleseclabel doubleseclabel 8746b00d- aad1-4346- 8784-2d43314651 53'
sudo virsh start yakkety-
error: Failed to start domain yakkety-
error: internal error: cannot load AppArmor profile 'libvirt-
In the log I found the related: LOG_OUTPUTS= 3:stderr /usr/lib/ libvirt/ virt-aa- helper -p 0 -r -u libvirt- 8746b00d- aad1-4346- 8784-2d43314651 53) unexpected exit status 1: 2016-10-27 13:45:20.873+0000: 10640: info : libvirt version: 2.1.0, package: 1ubuntu10~ppa3 (Christian Ehrhardt <email address hidden> Mon, 24 Oct 2016 14:21:36 +0200)
2016- 10-27 13:45:20.873+0000: 10640: info : hostname: horsea
2016- 10-27 13:45:20.873+0000: 10640: error : virSecurityLabe lDefParseXML: 6473 : XML error: security label is missing
virt- aa-helper: error: could not parse XML
virt- aa-helper: error: could not get VM definition 8746b00d- aad1-4346- 8784-2d43314651 53'
Okt 27 13:45:50 horsea libvirtd[10370]: internal error: Child process (LIBVIRT_
Okt 27 13:45:50 horsea libvirtd[10370]: internal error: cannot load AppArmor profile 'libvirt-
Okt 27 13:45:50 horsea virtlogd[7706]: End of file while reading data: Input/output error
I also found that adding dac alone is enough to trigger:
$ virsh dumpxml yakkety- doubleseclabel | grep -A 20 '<seclabel'
<seclabel type='dynamic' model='apparmor' relabel='yes'/>
<seclabel type='dynamic' model='dac' relabel='yes'/>
</domain>
=> Failing
$ virsh dumpxml yakkety-sec-app | grep -A 20 seclabel
<seclabel type='dynamic' model='apparmor' relabel='yes'/>
</domain>
=> Working
$ virsh dumpxml yakkety-sec-dac | grep -A 20 seclabel
<seclabel type='dynamic' model='dac' relabel='yes'/>
</domain>
=> Failing just as much as case 1, maybe because apparmor is default on.
Trying to check the /usr/lib/ libvirt/ virt-aa- helper in those cases, but since it is not meant to be called directly that is a bit tricky.