In order for apparmor to work properly in Xen environments, the following
access rights need to be allowed:
- Allow CAP_SYS_PACCT, which is required when resetting some multi-port
Broadcom cards by writting to the PCI config space
- Allow CAP_IPC_LOCK, which is required to lock/unlock memory. Without
this setting, an error 'Resource temporarily unavailable' can be seen
while attempting to mmap memory. At the same time, the following
apparmor message is seen:
apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/libvirtd"
pid=2097 comm="libvirtd" pid=2097 comm="libvirtd" capability=14
capname="ipc_lock"
- Allow access to distribution specific directories:
/usr/{lib,lib64}/xen/bin
---
examples/apparmor/usr.sbin.libvirtd | 3 +++
1 file changed, 3 insertions(+)
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index 7151052..9917836 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -13,6 +13,7 @@
capability sys_admin,
capability sys_module,
capability sys_ptrace,
+ capability sys_pacct,
capability sys_nice,
capability sys_chroot,
capability setuid,
@@ -24,6 +25,7 @@
capability mknod,
capability fsetid,
capability audit_write,
+ capability ipc_lock,
# Needed for vfio
capability sys_resource,
@@ -45,6 +47,7 @@
/usr/sbin/* PUx,
/lib/udev/scsi_id PUx,
/usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
+ /usr/{lib,lib64}/xen/bin/* Ux,
# force the use of virt-aa-helper
audit deny /sbin/apparmor_parser rwxl,
--
1.8.4.5
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list