Upgraded a 13.04 64 bit to 13.10. Before the upgrade, I had KVM guest with usb devices working well. Since the upgrade, apparmor blocks access to usb devices with the following errors :
Oct 27 14:17:29 laptop kernel: [ 5771.844806] type=1400 audit(1382897849.445:339): apparmor="DENIED" operation="open" parent=1 profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/bus/usb/" pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Oct 27 14:17:29 laptop kernel: [ 5771.844847] type=1400 audit(1382897849.445:340): apparmor="DENIED" operation="open" parent=1 profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/" pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Oct 27 14:17:29 laptop kernel: [ 5771.844947] type=1400 audit(1382897849.445:341): apparmor="DENIED" operation="open" parent=1 profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/bus/usb/" pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Oct 27 14:17:29 laptop kernel: [ 5771.844967] type=1400 audit(1382897849.445:342): apparmor="DENIED" operation="open" parent=1 profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/" pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Oct 27 14:17:29 laptop kernel: [ 5771.845051] type=1400 audit(1382897849.445:343): apparmor="DENIED" operation="open" parent=1 profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/bus/usb/" pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Oct 27 14:17:29 laptop kernel: [ 5771.845069] type=1400 audit(1382897849.445:344): apparmor="DENIED" operation="open" parent=1 profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/" pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
The profile looks fine :
/etc/apparmor.d/libvirt/libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee:
# # This profile is for the domain whose UUID matches this file. #
#include <tunables/global>
profile libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee { #include <abstractions/libvirt-qemu> #include <libvirt/libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee.files>
}
/etc/apparmor.d/libvirt/libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee.files:
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. "/var/log/libvirt/**/windows-xp.log" w, "/var/lib/libvirt/**/windows-xp.monitor" rw, "/var/run/libvirt/**/windows-xp.pid" rwk, "/run/libvirt/**/windows-xp.pid" rwk, "/var/run/libvirt/**/*.tunnelmigrate.dest.windows-xp" rw, "/run/libvirt/**/*.tunnelmigrate.dest.windows-xp" rw, "/home/vm/windowsxp.img" rw, "/dev/bus/usb/002/012" rw, "/dev/bus/usb/002/011" rw, "/dev/bus/usb/002/007" rw,
Upgraded a 13.04 64 bit to 13.10. Before the upgrade, I had KVM guest with usb devices working well. Since the upgrade, apparmor blocks access to usb devices with the following errors :
Oct 27 14:17:29 laptop kernel: [ 5771.844806] type=1400 audit(138289784 9.445:339) : apparmor="DENIED" operation="open" parent=1 profile= "libvirt- 655920dd- 7b6f-f20b- bb77-b5bbaa133e ee" name="/ dev/bus/ usb/" pid=12253 comm="qemu- system- x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 9.445:340) : apparmor="DENIED" operation="open" parent=1 profile= "libvirt- 655920dd- 7b6f-f20b- bb77-b5bbaa133e ee" name="/dev/" pid=12253 comm="qemu- system- x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 9.445:341) : apparmor="DENIED" operation="open" parent=1 profile= "libvirt- 655920dd- 7b6f-f20b- bb77-b5bbaa133e ee" name="/ dev/bus/ usb/" pid=12253 comm="qemu- system- x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 9.445:342) : apparmor="DENIED" operation="open" parent=1 profile= "libvirt- 655920dd- 7b6f-f20b- bb77-b5bbaa133e ee" name="/dev/" pid=12253 comm="qemu- system- x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 9.445:343) : apparmor="DENIED" operation="open" parent=1 profile= "libvirt- 655920dd- 7b6f-f20b- bb77-b5bbaa133e ee" name="/ dev/bus/ usb/" pid=12253 comm="qemu- system- x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 9.445:344) : apparmor="DENIED" operation="open" parent=1 profile= "libvirt- 655920dd- 7b6f-f20b- bb77-b5bbaa133e ee" name="/dev/" pid=12253 comm="qemu- system- x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
Oct 27 14:17:29 laptop kernel: [ 5771.844847] type=1400 audit(138289784
Oct 27 14:17:29 laptop kernel: [ 5771.844947] type=1400 audit(138289784
Oct 27 14:17:29 laptop kernel: [ 5771.844967] type=1400 audit(138289784
Oct 27 14:17:29 laptop kernel: [ 5771.845051] type=1400 audit(138289784
Oct 27 14:17:29 laptop kernel: [ 5771.845069] type=1400 audit(138289784
The profile looks fine :
/etc/apparmor. d/libvirt/ libvirt- 655920dd- 7b6f-f20b- bb77-b5bbaa133e ee:
#
# This profile is for the domain whose UUID matches this file.
#
#include <tunables/global>
profile libvirt- 655920dd- 7b6f-f20b- bb77-b5bbaa133e ee { libvirt- qemu> libvirt- 655920dd- 7b6f-f20b- bb77-b5bbaa133e ee.files>
#include <abstractions/
#include <libvirt/
}
/etc/apparmor. d/libvirt/ libvirt- 655920dd- 7b6f-f20b- bb77-b5bbaa133e ee.files:
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. log/libvirt/ **/windows- xp.log" w, lib/libvirt/ **/windows- xp.monitor" rw, run/libvirt/ **/windows- xp.pid" rwk, libvirt/ **/windows- xp.pid" rwk, run/libvirt/ **/*.tunnelmigr ate.dest. windows- xp" rw, libvirt/ **/*.tunnelmigr ate.dest. windows- xp" rw, vm/windowsxp. img" rw, bus/usb/ 002/012" rw, bus/usb/ 002/011" rw, bus/usb/ 002/007" rw,
"/var/
"/var/
"/var/
"/run/
"/var/
"/run/
"/home/
"/dev/
"/dev/
"/dev/