Control: tag -1 + fixed-upstream Hi,
Kjö Hansi Glaz: > libvirtError: internal error: qemu unexpectedly closed the monitor: > 2016-12-01T22:30:29.196276Z qemu-system-x86_64: -device > usb-host,hostbus=3,hostaddr=5,id=hostdev0,bus=usb.0,port=4: failed to find > host usb device 3:5 For the record I can reproduce this on current sid: $ virsh start tails-dev error: Failed to start domain tails-dev error: internal error: qemu unexpectedly closed the monitor: libusb: error [_get_usbfs_fd] libusb couldn't open USB device /dev/bus/usb/002/007: Permission denied libusb: error [_get_usbfs_fd] libusb requires write access to USB device nodes. 2018-01-15T06:18:24.202580Z qemu-system-x86_64: -device usb-host,hostbus=2,hostaddr=7,id=hostdev0,bootindex=2,bus=usb.0,port=3: failed to open host usb device 2:7 > * System log when starting the VM: Here's what I see now: Jan 15 07:16:45 ensifera audit[21964]: AVC apparmor="DENIED" operation="open" profile="virt-aa-helper" name="/sys/bus/usb/devices/" pid=21964 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jan 15 07:16:45 ensifera audit[21966]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef" pid=21966 comm="apparmor_parser" Jan 15 07:16:45 ensifera audit[21968]: AVC apparmor="DENIED" operation="open" profile="virt-aa-helper" name="/sys/bus/usb/devices/" pid=21968 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jan 15 07:16:45 ensifera audit[21980]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef" pid=21980 comm="apparmor_parser" Jan 15 07:16:46 ensifera audit[21984]: AVC apparmor="DENIED" operation="open" profile="libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef" name="/dev/bus/usb/002/007" pid=21984 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=119 ouid=119 My guess was that virt-aa-helper tries to read the info it needs to add the relevant USB device nodes to $profile.files, which explains the VM is actually forbidden to access them. And indeed, if I add this line to /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper: /sys/bus/usb/devices/ r, … then virt-aa-helper successfully adds that line to /etc/apparmor.d/libvirt/libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef.files: "/dev/bus/usb/002/007" rw, … and the VM starts just fine. This change was already applied upstream (commit 59249778705693e54df21710116ae213b194fa50) so we'll get it once the latest release is packaged for Debian. Cheers, -- intrigeri
