On Thu, 2017-11-09 at 09:43 -0700, Jim Fehlig wrote:

On 11/09/2017 09:24 AM, Cédric Bosdonnat wrote:

...

The rule 'network netlink raw' fixes these denials on libvirtd start:

apparmor="DENIED" operation="create" profile="/usr/sbin/libvirtd" pid=12969 comm="libvirtd" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create" --- examples/apparmor/usr.sbin.libvirtd | 1 + 1 file changed, 1 insertion(+)

diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 819068ffc..8ac5233cc 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -36,6 +36,7 @@ network inet6 dgram, network packet dgram, network packet raw, + network netlink raw,

This is already included in intrigeri's patchset to fix other apparmor rules

https://www.redhat.com/archives/libvir-list/2017-November/msg00161.html

Oops, I was too quick, sorry for the noise. -- Cedric