With libpmem support compiled into qemu it will trigger the following denials on every startup. apparmor="DENIED" operation="open" name="/" apparmor="DENIED" operation="open" name="/sys/bus/nd/devices/" This is due to [1] that tries to auto-detect if the platform supports auto flush for all region. Once we know all the paths that are potentially needed if this feature is really used we can add them conditionally in virt-aa-helper and labelling calls in case </pmem> is enabled. But until then the change here silences the denial warnings seen above. [1]: https://github.com/pmem/pmdk/blob/master/src/libpmem2/auto_flush_linux.c#L131 Bug: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1871354 Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> --- src/security/apparmor/libvirt-qemu | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu index 80986aec61..602f5eb587 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -227,3 +227,8 @@ # required for sasl GSSAPI plugin /etc/gss/mech.d/ r, /etc/gss/mech.d/* r, + + # scanned on libpmem init, but harmless on any lsb compliant system + / r, + /sys/bus/nd/devices/ r, + /sys/bus/nd/devices/* r, -- 2.26.0
