Package:libapparmor1 When trying to create VMs with disks on scsi apparmor will show warnings in journal.
Relevant packages versions: libapparmor1/testing,now 2.13.2-10 amd64 libvirt-daemon-system/testing,now 5.0.0-4 amd64 The apparmor warning line from journal is the following: audit: type=1400 audit(1562337821.518:28): apparmor="DENIED" operation="capable" profile="/usr/sbin/libvirtd" pid=1611comm="libvirt_parthel" capability=17 capname="sys_rawio" As I said, the above warning shows up when trying to run a VM with an scsi disk: In order to reproduce the above warning run a VM with the following command: virt-install --connect qemu:///system --name test --os-variant fedora-unknown --memory 500 --vcpus 1 --wait -1 --noautoconsole --noreboot --disk path=/dev/sda1,device=disk,bus=virtio,readonly=off,shareable=off,cache=none,driver_name=qemu,driver_type=raw,io=native --cdrom https://localhost:8000/novell.iso Where /dev/sda1 is a partition on a scsi disk as you can see root@unassigned-hostname:~# ls -la /dev/disk/by-id/ | grep sda lrwxrwxrwx 1 root root 9 Jul 5 11:24 pci-0000:00:02.0-scsi-0:0:2:0 -> ../../sda lrwxrwxrwx 1 root root 10 Jul 5 11:24 pci-0000:00:02.0-scsi-0:0:2:0-part1 -> ../../sda1 Expected behavior: Since CAP_SYS_RAWIO is needed to perform various SCSI device commands I would expect that the apparmor profile would be extended to allow that capability. Regards, Katerina
