libvirtd: apparmor DENIED for /etc/ssl/openssl.cnf
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Debian) |
New
|
Unknown
|
|||
libvirt (Ubuntu) |
Incomplete
|
Undecided
|
Andreas Hasenack |
Bug Description
Description:
When I try to use virt-manager to create a new qemu-system-x86_64 VM, it fails and the journal shows an apparmor DENIED for /etc/ssl/
Reproducing:
It's pretty implicit that trying to create a new VM will reproduce this.
It happens 100% of the time.
Expected:
If I try to create a new VM using virt-manager, I will get a new, working VM.
Actual:
Everything about the VM creation looks OK until the VM boots and then the VM BIOS shows that the BIOS cannot open a disk or ISO or something like that.
Log messages:
Jun 20 22:00:26 coyote~ audit[67219]: AVC apparmor="DENIED" operation="open" class="file" profile=
Jun 20 22:00:26 coyote kernel: audit: type=1400 audit(168731282
ProblemType: Bug
DistroRelease: Ubuntu 23.10
Package: libvirt-
ProcVersionSign
Uname: Linux 6.2.0-23-generic x86_64
NonfreeKernelMo
ApportVersion: 2.26.1-0ubuntu3
Architecture: amd64
CasperMD5CheckR
Date: Tue Jun 20 23:01:34 2023
InstallationDate: Installed on 2022-10-09 (254 days ago)
InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Daily amd64 (20221008)
ProcEnviron:
LANG=en_US.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm-
SourcePackage: libvirt
UpgradeStatus: Upgraded to mantic on 2023-06-20 (0 days ago)
Changed in libvirt (Debian): | |
status: | Unknown → New |
Changed in libvirt (Ubuntu): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
tags: | removed: server-todo |
Hello and thanks for running the Ubuntu development release!
I can confirm this happens on my Mantic system, even if the error doesn't seem to have any immediately visible adverse effect. The linked Debian bug also mentions the VM pausing after some time, but I'm not experiencing this behavior, which seems unrelated from the AppArmor issue.
It is likely that the profiles need updating to allow access to openssl.cnf.