On Wed, 19 Jun 2019, Christian Ehrhardt wrote: > Commit a3ab6d42 changed the libvirtd profile to a named profile > but neglected to accommodate the change in the qemu profile > ptrace and signal rules. > Later on 4ec3cf9a fixed that for ptrace and signal but openGraphicsFD > is still missing. > > As a result, libvirtd is unable to open UI on libvirt >=5.1 e.g. with > virt-manager. > > Add openGraphicsFD rule that references the libvirtd profile > by name in addition to full binary path. > > Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1833040 > > Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com&gt; > --- > src/security/apparmor/libvirt-qemu | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu > index 165558fe83..d33348aa05 100644 > --- a/src/security/apparmor/libvirt-qemu > +++ b/src/security/apparmor/libvirt-qemu > @@ -208,6 +208,7 @@ > /sys/firmware/devicetree/** r, > > # allow connect with openGraphicsFD to work > + unix (send, receive) type=stream addr=none peer=(label=libvirtd), > unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), > > # for gathering information about available host resources +1 to apply. Thanks for chasing this down.

-- Jamie Strandboge | http://www.canonical.com