Re: [libvirt PATCH] apparmor: Allow running /usr/libexec/qemu-kvm

Thursday, 3 November 2022

On Thu, Nov 03, 2022 at 12:13:53PM +0100, Andrea Bolognani wrote:
...
 Distros that use AppArmor, such as Debian and Ubuntu, install
 QEMU under /usr/bin/qemu-system-*, and our AppArmor profile is
 written with that assumption in mind.

 If you try to run the RHEL or CentOS version of libvirt and
 QEMU inside a privileged container on such distros, however,
 that will result in an error, because the path
 /usr/libexec/qemu-kvm is used instead.

 In particular, this prevents upstream KubeVirt releases (which
 are based on CentOS) from running on Debian/Ubuntu nodes. See

   https://github.com/kubevirt/kubevirt/pull/8692

 and the issues referenced therein for additional details.

 Signed-off-by: Andrea Bolognani <abologna(a)redhat.com&gt;
 ---
  src/security/apparmor/usr.sbin.libvirtd.in  | 4 ++++
  src/security/apparmor/usr.sbin.virtqemud.in | 4 ++++
  2 files changed, 8 insertions(+)
 [...]
...

 +  # Needed when running the RHEL/CentOS version of libvirt and QEMU
 +  # inside a privileged container on a Debian/Ubuntu host
 +  /usr/libexec/qemu-kvm PUx, 
Jim and Christian,

can you please take a look and confirm that this is sane?

Thanks in advance!

-- 
Andrea Bolognani / Red Hat / Virtualization

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [libvirt PATCH] apparmor: Allow running /usr/libexec/qemu-kvm