[re-added the bug report] On Tue, Dec 17, 2024 at 12:09:34PM -0800, Paul B. Henson wrote: > On 12/17/2024 5:59 AM, Andrea Bolognani wrote: > > On Sat, Feb 24, 2024 at 12:16:35PM -0800, Paul B. Henson wrote: > > > Package: libvirt0 > > > Version: 9.0.0-4 > > > > > > When I start vm's, I see this error message in the system logs: > > > > > > kernel: [578906.082105] audit: type=1400 audit(1708728091.927:140): > > > apparmor="DENIED" operation="open" > > > profile="libvirt-f1f75261-a8b3-4987-b3b4-66577cc691b3" > > > name="/etc/ssl/openssl.cnf" pid=266042 comm="qemu-system-x86" > > > requested_mask="r" > > > denied_mask="r" fsuid=64055 ouid=0 > > > > > > It appears the libvirt apparmor template does not provide access? I didn't > > > see this issue under Debian 11, but it started popping up after updating > > > to Debian 12, specifically. I'm currently running 12.5. > > > > Laurent has helpfully already forwarded the report upstream: > > > > https://gitlab.com/libvirt/libvirt/-/issues/712 > > > > Upstream is suggesting trying again with AppArmor 4.0.0, which is > > unfortunately not really feasible in the context of Debian. > > > > What I would like to confirm, though, is that your VMs are configured > > to access disks via HTTP or some other protocol that requires QEMU to > > use curl. That would explain why QEMU would need to access OpenSSL > > configuration files in the first place, and why I'm not seeing the > > denial for my own VMs (which are backed by local storage). > > Hmm, no, all of the disks are raw volumes either on lvm or zvols, or ISO > images in the standard /var/lib/libvirt/images directory. > > Out of curiosity, are you using UEFI or BIOS? My vm's are UEFI if that makes > a difference. I also have a Windows VM using a software TPM, but I'm pretty > sure I saw the error on my linux VM's too before I added a local > configuration to allow it.
I've managed to reproduce this locally and the culprit appears to be the use of SPICE graphics. If I switch to VNC, or disable graphics entirely, it no longer shows up. -- Andrea Bolognani <e...@kiyuko.org> Resistance is futile, you will be garbage collected.
signature.asc
Description: PGP signature
