qemu - apparmor causes issues on libvirt with custom qemu

Question

I wanted to run libvirt using a customized version of qemu. However, after I installed my version of qemu and rebooted I get the following message in dmesg

type=1400 audit(1338385059.381:51): apparmor="DENIED" operation="exec" parent=1700 profile="/usr/sbin/libvirtd" name="/usr/local/bin/qemu-system-x86_64" pid=1746 comm="libvirtd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

I tried editing the /etc/apparmor.d/abstractions/libvirt-qemu and added the following line and rebooted

/usr/local/bin/qemu-system-x86_64 rmix,

However the issue is still present. I am really new to apparmor, in fact hadn't read much on it till I found this error. Any help would be greatly appreciated.

Answer 1

Your log message indicates that the problem was in the /usr/sbin/libvirtd profile; see the profile="/usr/sbin/libvirtd" portion of the message. This profile is stored in /etc/apparmor.d/usr.sbin.libvirtd; this profile does not include the /etc/apparmor.d/abstractions/libvirt-qemu abstraction -- this is instead loaded via the profiles in /etc/apparmor.d/libvirt/. See the last lines in the libvirtd profile:

  # allow changing to our UUID-based named profiles
  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,

Probably the easiest answer would be to add the following line to your local/usr.sbin.libvirtd file:

/usr/local/bin/qemu-system-x86_64 rmix,

(Though perhaps it would require PUx instead; the main /usr/sbin/libvirtd profile currently has /usr/bin/* PUx,, which is probably how the /usr/bin/qemu-system-x86_64 gets executed currently.)

Another approach is to run aa-logprof, and allow the tools to prompt you. You may not build the prettiest profiles using the tools, but it should be fairly straightforward and have the same security properties as hand-authoring your profiles.

I hope this helps.