Compared to other denies this is really rather low on extra qualifiers - I see why you just added "unix," for now :-/
We used to have this for the past few releases:
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
The peer detection is gone now, I have now good idea why, but essentially for libvirt 4.0 we have to trim the rule to
unix (send, receive) type=stream addr=none,
Which still a rather (too) open rule.
Further I have realized that your systems (which are Eoan, while I'm eoan LXD on Bionic+HWE 4.18) actually detect a peer, but with the path changed.
- kernel 5.0.0-16 (Eoan) peer="libvirtd"
- kernel 4.18 (Bionic + HWE) no peer detected
- older libvirt peer=(label=/usr/sbin/libvirtd)
I started a discussion in #security
if nothing comes back I'll set jdstrand to CC anyway when submitting something upstream, maybe he has an idea why the peer detection was changed.
As I assumed easily reproducible
[ 7152.173377] audit: type=1400 audit(156092517 1.038:439) : apparmor="DENIED" operation= "file_r50- 221da1d95974" pid=18422 comm="qemu- system- x86" family="unix" sock_type="stream" protocol=0 "
Compared to other denies this is really rather low on extra qualifiers - I see why you just added "unix," for now :-/
We used to have this for the past few releases: /usr/sbin/ libvirtd) ,
unix (send, receive) type=stream addr=none peer=(label=
The peer detection is gone now, I have now good idea why, but essentially for libvirt 4.0 we have to trim the rule to
unix (send, receive) type=stream addr=none,
Which still a rather (too) open rule.
Further I have realized that your systems (which are Eoan, while I'm eoan LXD on Bionic+HWE 4.18) actually detect a peer, but with the path changed. /usr/sbin/ libvirtd)
- kernel 5.0.0-16 (Eoan) peer="libvirtd"
- kernel 4.18 (Bionic + HWE) no peer detected
- older libvirt peer=(label=
I started a discussion in #security
if nothing comes back I'll set jdstrand to CC anyway when submitting something upstream, maybe he has an idea why the peer detection was changed.