Hi Christian, On Fri, 2017-05-19 at 11:18 +0200, Christian Ehrhardt wrote: > > On Fri, May 19, 2017 at 10:03 AM, Guido Günther <agx@xxxxxxxxxxx> wrote: > > But if we aim for a profile replace on blockcommit [1] the would't matter > > since the whole profile would get replaced, wouldn't it? > > > > Since this is based on [1][2] looping in Cédric here to share some old explaiantions. > See especially [1] for some reasoning for 'R' in general. > > [1]: http://libvirt.org/git/?p=libvirt.git;a=commit;h=c726af2d5a2248f0dad01201b2fc5231fbd4c20f > [2]: http://libvirt.org/git/?p=libvirt.git;a=commit;h=cedd2ab28262db62976b351dbf2a0f8d9f88ca9e Sadly the bug report isn't public since it has been reported again SLES. But here is the description of the bug that motivated that fix: ------------------ %< ------------------ Steps to reproduce: * run virt-sandbox /bin/sh as root Expected result: Run a shell in a qemu domain, apparmor enforced Actual result: Domain fails to start After some more debugging it happens that the problem is caused by <filesystem type='mount' accessmode='passthrough'> <source dir='/'/> <target dir='host_root'/> <readonly/> </filesystem> Since commit http://libvirt.org/git/?p=libvirt.git;a=commit;h=d0d4b8ad76d3e8a859ee90701a21a3f003a22c1f, virt-aa-helper generates a "deny /** w" rule in such cases that takes precedence over the allow rules. This has several effects: * It hides the DENIED/ALLOWED apparmor log entries * It prevents qemu to write to the log file, /dev/ptmx and other important files to run the domain. To see the rules, add the audit flag to /etc/apparmor.d/libvirt/TEMPLATE.qemu file and rerun virt-sandbox. ------------------ %< ------------------ Hi hope this will answer your questions -- Cedric -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
