The apparmor profiles forgot about /usr/lib64 folders, just add lib64 as a possible alternative to lib in the paths --- examples/apparmor/libvirt-qemu | 2 +- examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++-- examples/apparmor/usr.sbin.libvirtd | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index c6de6dd..7aad391 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -111,7 +111,7 @@ /usr/bin/qemu-sparc32plus rmix, /usr/bin/qemu-sparc64 rmix, /usr/bin/qemu-x86_64 rmix, - /usr/lib/qemu/block-curl.so mr, + /usr/{lib,lib64}/qemu/block-curl.so mr, # for save and resume /bin/dash rmix, diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper index bceaaff..b34fb35 100644 --- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper +++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper @@ -1,7 +1,7 @@ # Last Modified: Mon Apr 5 15:10:27 2010 #include <tunables/global> -/usr/lib/libvirt/virt-aa-helper { +profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { #include <abstractions/base> # needed for searching directories @@ -20,7 +20,7 @@ /sys/devices/ r, /sys/devices/** r, - /usr/lib/libvirt/virt-aa-helper mr, + /usr/{lib,lib64}/libvirt/virt-aa-helper mr, /sbin/apparmor_parser Ux, /etc/apparmor.d/libvirt/* r, diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 3011eff..7151052 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -44,7 +44,7 @@ /usr/bin/* PUx, /usr/sbin/* PUx, /lib/udev/scsi_id PUx, - /usr/lib/xen-common/bin/xen-toolstack PUx, + /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, # force the use of virt-aa-helper audit deny /sbin/apparmor_parser rwxl, @@ -53,7 +53,7 @@ audit deny /sys/kernel/security/apparmor/matching rwxl, audit deny /sys/kernel/security/apparmor/.* rwxl, /sys/kernel/security/apparmor/profiles r, - /usr/lib/libvirt/* PUxr, + /usr/{lib,lib64}/libvirt/* PUxr, /etc/libvirt/hooks/** rmix, /etc/xen/scripts/** rmix, -- 2.1.2

The typical case for the problem is starting a domain needing a network that isn't started. Even after starting the network, we get an unknown error when starting the container. This is due to dynamic security label not being removed. --- src/lxc/lxc_process.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c index 1c0d4e5..d7eb8bc 100644 --- a/src/lxc/lxc_process.c +++ b/src/lxc/lxc_process.c @@ -1372,6 +1372,7 @@ int virLXCProcessStart(virConnectPtr conn, VIR_FREE(vm->def->seclabels[0]->model); VIR_FREE(vm->def->seclabels[0]->label); VIR_FREE(vm->def->seclabels[0]->imagelabel); + VIR_DELETE_ELEMENT(vm->def->seclabels, 0, vm->def->nseclabels); } } for (i = 0; i < nttyFDs; i++) -- 2.1.2