Re: [libvirt PATCH] apparmor: Allow running /usr/libexec/qemu-kvm

On Thu, Nov 03, 2022 at 12:13:53PM +0100, Andrea Bolognani wrote:

Distros that use AppArmor, such as Debian and Ubuntu, install QEMU under /usr/bin/qemu-system-*, and our AppArmor profile is written with that assumption in mind.

If you try to run the RHEL or CentOS version of libvirt and QEMU inside a privileged container on such distros, however, that will result in an error, because the path /usr/libexec/qemu-kvm is used instead.

In particular, this prevents upstream KubeVirt releases (which are based on CentOS) from running on Debian/Ubuntu nodes. See

https://github.com/kubevirt/kubevirt/pull/8692

and the issues referenced therein for additional details.

Signed-off-by: Andrea Bolognani <abologna@redhat.com> --- src/security/apparmor/usr.sbin.libvirtd.in | 4 ++++ src/security/apparmor/usr.sbin.virtqemud.in | 4 ++++ 2 files changed, 8 insertions(+)

[...]

+ # Needed when running the RHEL/CentOS version of libvirt and QEMU + # inside a privileged container on a Debian/Ubuntu host + /usr/libexec/qemu-kvm PUx,

Jim and Christian, can you please take a look and confirm that this is sane? Thanks in advance! -- Andrea Bolognani / Red Hat / Virtualization