I got this error message. I'm not sure it can be easily fixed though, and I don't think this is blocking. [ 29.359034] audit: type=1400 audit(1503670039.772:50): apparmor="DENIED" operation="exec" profile="/usr/sbin/dnsmasq" name="/usr/libexec/libvirt_leaseshelper" pid=4768 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 [ 29.359037] audit: type=1400 audit(1503670039.772:51): apparmor="DENIED" operation="open" profile="/usr/sbin/dnsmasq" name="/usr/libexec/libvirt_leaseshelper" pid=4768 comm="sh" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 I'm running apparmor 2.11.0 on kernel 4.12.5-gentoo [I] sec-policy/apparmor-profiles Available versions: (~)2.11.0^t {minimal} Installed versions: 2.11.0^t(19:46:06 18/04/17)(-minimal) [I] sys-apps/apparmor Available versions: (~)2.11.0 {doc} Installed versions: 2.11.0(13:30:29 27/03/17)(doc)
I'm afraid that apparmor-profiles are as shipped by upstream and are completely untested on Gentoo.
It's sufficient to add the lines /usr/libexec/libvirt_leaseshelper Cx -> libvirt_leaseshelper, /usr/libexec/libvirt_leaseshelper m, to /etc/apparmor.d/local/usr.sbin.dnsmasq and restart the services via e.g. systemctl restart apparmor libvirtd
As an alternative to creating the local file, the existing /etc/apparmor.d/usr.sbin.dnsmasq profile can be modified. Simply replacing /usr/lib{,64}/libvirt/libvirt_leaseshelper with /usr/libexec/libvirt_leaseshelper is sufficient to make it work on Gentoo. I think, the ebuild should apply this patch.
Created a bug in apparmor-profiles: https://gitlab.com/apparmor/apparmor/-/issues/87
(In reply to Vladimir Shapranov from comment #4) > Created a bug in apparmor-profiles: > https://gitlab.com/apparmor/apparmor/-/issues/87 This looks like it's fixed in 3.0.0.