On 1/18/23 10:43, Andrea Bolognani wrote:
Commit 379c0ce4bfed introduced a call to umount(/dev) performed inside the namespace that we run QEMU in.
As a result of this, on machines using AppArmor, VM startup now fails with
internal error: Process exited prior to exec: libvirt: QEMU Driver error: failed to umount devfs on /dev: Permission denied
The corresponding denial is
AVC apparmor="DENIED" operation="umount" profile="libvirtd" name="/dev/" pid=70036 comm="rpc-libvirtd"
Extend the AppArmor configuration for virtqemud and libvirtd so that this operation is allowed.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> --- src/security/apparmor/usr.sbin.libvirtd.in | 1 + src/security/apparmor/usr.sbin.virtqemud.in | 1 + 2 files changed, 2 insertions(+)
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> For more background on why umount is needed see my reply to Jim's question from earlier: https://listman.redhat.com/archives/libvir-list/2023-January/237149.html Michal