[sandbox] Weird apparmor problems

Cedric Bosdonnat <cbosdonnat@xxxxxxxx> · Thu, 29 Oct 2015 17:35:23 +0100

Hi all,

I'm seeing weird apparmor errors when running virt-sandbox here. Here are the log entries:

apparmor="ALLOWED" operation="mknod" parent=1 profile="libvirt-634ed189-cca0-4126-830c-4e4a76846b25" name="/var/lib/libvirt/qemu/sandbox.monitor" pid=2251 comm="qemu-system-x86" requested_mask="c" denied_mask="c" fsuid=493 ouid=493
apparmor="ALLOWED" operation="open" parent=1 profile="libvirt-634ed189-cca0-4126-830c-4e4a76846b25" name="/dev/ptmx" pid=2251 comm="qemu-system-x86" requested_mask="w" denied_mask="w" fsuid=493 ouid=0
apparmor="ALLOWED" operation="open" parent=1 profile="libvirt-634ed189-cca0-4126-830c-4e4a76846b25" name="/dev/pts/2" pid=2251 comm="qemu-system-x86" requested_mask="w" denied_mask="w" fsuid=493 ouid=493
apparmor="ALLOWED" operation="file_perm" parent=1 profile="libvirt-634ed189-cca0-4126-830c-4e4a76846b25" name="/var/log/libvirt/qemu/sandbox.log" pid=2251 comm="qemu-system-x86" requested_mask="w" denied_mask="w" fsuid=493 ouid=0
apparmor="ALLOWED" operation="open" parent=1 profile="libvirt-634ed189-cca0-4126-830c-4e4a76846b25" name="/dev/ptmx" pid=2251 comm="qemu-system-x86" requested_mask="w" denied_mask="w" fsuid=493 ouid=0
apparmor="ALLOWED" operation="open" parent=1 profile="libvirt-634ed189-cca0-4126-830c-4e4a76846b25" name="/dev/pts/3" pid=2251 comm="qemu-system-x86" requested_mask="w" denied_mask="w" fsuid=493 ouid=493
apparmor="ALLOWED" operation="file_perm" parent=1 profile="libvirt-634ed189-cca0-4126-830c-4e4a76846b25" name="/var/log/libvirt/qemu/sandbox.log" pid=2251 comm="qemu-system-x86" requested_mask="w" denied_mask="w" fsuid=493 ouid=0
apparmor="ALLOWED" operation="open" parent=1 profile="libvirt-634ed189-cca0-4126-830c-4e4a76846b25" name="/dev/kvm" pid=2251 comm="qemu-system-x86" requested_mask="w" denied_mask="w" fsuid=493 ouid=0

The weird thing is that /dev/kvm, /var/log/libvirt/qemu/sandbox.log
and /var/lib/libvirt/qemu/sandbox.monitor already have rules.

And I'm wondering if it's normal to have write access to /dev/pts/*
and /dev/ptmx.

Any idea?

--
Cedric

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list