Ubuntu
libvirt package

  1. Eoan (19.10)
  2. Bug #1655111
  3. Comment #6

Comment 6 for bug 1655111

Revision history for this message
Bart Staal (bart.staal) wrote :

I'm using qemu-bridge-helper already for a while. Since updating to 19.10 libvirtd suddenly refused to start my VMs. Turned out to be caused by apparmor, I found these log messages:

audit: type=1400 audit(1580253669.262:100): apparmor="DENIED" operation="file_inherit" profile="libvirtd//qemu_bridge_helper" pid=5629 comm="qemu-bridge-hel" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="libvirtd"
audit: type=1400 audit(1580253669.262:101): apparmor="DENIED" operation="file_inherit" profile="libvirtd" pid=5629 comm="qemu-bridge-hel" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="libvirtd//qemu_bridge_helper"
audit: type=1400 audit(1580253669.262:102): apparmor="DENIED" operation="signal" profile="libvirtd" pid=3118 comm="libvirtd" requested_mask="send" denied_mask="send" signal=term peer="libvirtd//qemu_bridge_helper"

For me the following change below the issue. I've barely any idea what I'm doing, never wrote apparmor profiles before. So probably this patch needs a bit of fine-tuning.

--- usr.sbin.libvirtd-orig 2020-01-29 22:52:27.257908332 +0100
+++ usr.sbin.libvirtd 2020-01-29 22:45:42.358642382 +0100
@@ -62,8 +62,10 @@
   signal (send) set=("kill", "term") peer=unconfined,

   # For communication/control to qemu-bridge-helper
- unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd//qemu_bridge_helper),
- signal (send) set=("term") peer=/usr/sbin/libvirtd//qemu_bridge_helper,
+ unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper),
+ signal (send) set=("term") peer=libvirtd//qemu_bridge_helper,

   # allow connect with openGraphicsFD, direction reversed in newer versions
   unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
@@ -122,7 +124,8 @@
    network inet stream,

    # For communication/control from libvirtd
- unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
+ unix (send, receive) type=stream addr=none peer=(label=libvirtd),
    signal (receive) set=("term") peer=/usr/sbin/libvirtd,
    signal (receive) set=("term") peer=libvirtd,