Comment 10 for bug 2024514

libvirt in kinetic has the openssl abstraction included in the virt-aa-helper profile, as does lunar. Here I only see the DENIED log for the /etc/gnutls/config file:

[qui jul 13 03:05:45 2023] audit: type=1400 audit(1688507858.447:3964): apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config" pid=1009657 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I have created /etc/gnutls/config manually to experiment with crypto settings in gnutls: that file is not shipped in ubuntu, that's why we are not seeing it in logs at large. This is worth a bug, but separate from this issue here.

The dynamic profile created by libvirt for the VM indeed does not seem to include the openssl abstraction, but I'm not getting the DENIED log entry for the openssl config file either. Something must be different in the VM configuration that @metta-crawler is using.

@metta-crawler, once you have a VM up that is triggering this apparmor DENIED error for the openssl config file, could you please dump it to xml and attach that to this bug?

The command would be this:

virsh dumpxml <vmname> > vm.xml

I don't *think* anything private will be in that file, but please check before attaching.