control: reassign -1 libvirt-daemon-system control: tags -1 +pending On Sun, Dec 18, 2016 at 09:48:13PM +0100, intrigeri wrote: > Control: tag -1 + moreinfo > > Hi, > > Guido Günther: > > Yes, I think so. The machine is running 4.8.0 now and I think it was > > 4.2.0 before. Unfortunately it's quiet some time since I ran the tests > > last time (2016-11-15 IIRC) and the box was not up to date at that date. > > OK. It might be that the kernel component of AppArmor changed wrt. > how it handles namespaces in between, but really I've no idea. > > >> What's the last working version of AppArmor (userspace)? > > > I _think_ it's 2.10.95-4 but I'm not sure. > > OK. > > > As I wrote this is mostly a placeholder to gather the necessary > > information, I will have to put more time into sorting out what > > _exactly_ triggered it but not having seen this type of DENIED before I > > thought I'd file a bug to check with you guys if you know this kind of > > problem already. > > Cool, good idea! > > Well, info="Failed name lookup - disconnected path" does ring a bell. > It might be that the libvirtd profile needs the attach_disconnected > flag (there are plenty of examples that do in my /etc/apparmor.d). > Can you please try and report back?
That worked, reassigning to libvirt. Thanks a lot! That said this is a behaviour change in apparmor / kernel that breaks existing profiles. Do we have any means to deal with such things? Cheers, -- Guido
