LXC processes confined by apparmor are not permitted to receive signals from libvirtd. Attempting to destroy such a process fails virsh --connect lxc:/// destroy distro_apparmor error: Failed to destroy domain distro_apparmor error: Failed to kill process 29491: Permission denied And from /var/log/audit/audit.log type=AVC msg=audit(1606949706.142:6345): apparmor="DENIED" operation="signal" profile="libvirt-314b7109-fdce-48dc-ad28-7c47958a27c1" pid=29390 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="libvirtd" Similar to the libvirt-qemu abstraction, add a rule to the libvirt-lxc abstraction allowing reception of signals from libvirtd. Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx> --- src/security/apparmor/libvirt-lxc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/security/apparmor/libvirt-lxc b/src/security/apparmor/libvirt-lxc index e556f2a7bd..0c8b812743 100644 --- a/src/security/apparmor/libvirt-lxc +++ b/src/security/apparmor/libvirt-lxc @@ -1,5 +1,9 @@ #include <abstractions/base> + # Allow receiving signals from libvirtd + signal (receive) peer=libvirtd, + signal (receive) peer=/usr/sbin/libvirtd, + umount, # ignore DENIED message on / remount -- 2.29.2
