Dear Maintainer, If possible, please add apparmor support (USE flag) as an alternative to selinux. Reproducible: Always Steps to Reproduce: 1. emerge libvirt 2. set in /etc/libvirt/qemu.conf security_driver = "apparmor" 3. try to start libvirtd Actual Results: 2015-07-12 00:00:45.068+0000: 10388: error : virSecurityDriverLookup:93 : internal error: Security driver apparmor not found 2015-07-12 00:00:45.068+0000: 10388: error : qemuSecurityInit:449 : Failed to initialize security drivers 2015-07-12 00:00:45.068+0000: 10388: error : virStateInitialize:783 : Initialization of QEMU state driver failed: internal error: Security driver apparmor not found 2015-07-12 00:00:45.068+0000: 10388: error : daemonRunStateInit:908 : Driver state initialization failed
Please test version 1.2.17-r1, or 9999. If there is something amiss, please reopen. I hope that the apparmor configuration installed by upstream under /etc/apparmor.d/ works out of the box - I have no way of testing it. *libvirt-1.2.17-r1 (25 Jul 2015) 25 Jul 2015; Matthias Maier <tamiko@gentoo.org> +libvirt-1.2.17-r1.ebuild, -libvirt-1.2.16-r2.ebuild, -libvirt-1.2.17.ebuild, libvirt-9999.ebuild, metadata.xml: drop old; use readme.gentoo for all elog messages; fix dependencies wrt ebtables and iptables, bug #553120; add apparmor use flag, bug #554628
Hello, Some binaries (eg virt-aa-helper) are installed to /usr/libexec/, while apparmor profiles suggest to /usr/lib/libvirt/, in this condition it doesn't work. To fix this, can be edited profiles (I just changed paths and it worked, see the attachment). Or something to make these binaries were installed to /usr/lib/libvirt/ (as in other distributions)
Created attachment 407768 [details, diff] apparmor for libvirt
I have applied the changes, thanks for the patch! If there is still something broken, please reopen. *libvirt-1.2.17-r2 (28 Jul 2015) 28 Jul 2015; Matthias Maier <tamiko@gentoo.org> +files/libvirt-1.2.17-fix_paths_for_apparmor.patch, +files/libvirtd.confd-r6, +files/libvirtd.init-r16, +libvirt-1.2.17-r2.ebuild, -files/libvirtd.confd-r5, -files/libvirtd.init-r15, -libvirt-1.2.17-r1.ebuild, libvirt-9999.ebuild: Change default behavior for kvm guest in openrc runscript, bug #555736; fix apparmor configuration, bug #554628; ebuild maintenance
There is incorrect path to virt-aa-helper in your patch, libvirt cannot create AppArmor profile for VM.
Created attachment 407866 [details, diff] fix for patch
Ah, I screwed up. I had to apply your original patch manually and did not realize that this wasn't just a renaming. Patch for the patch applied! *libvirt-1.2.17-r3 (29 Jul 2015) 29 Jul 2015; Matthias Maier <tamiko@gentoo.org> +libvirt-1.2.17-r3.ebuild, -libvirt-1.2.17-r2.ebuild, files/libvirt-1.2.17-fix_paths_for_apparmor.patch: fix apparmor configuration, many thanks to aporilel, bug #544628
It works, thank you.
I'm sorry, when I checked this, apparently my old apparmor profiles were active. libvirtd should have access to virt-aa-helper, add this line to usr.sbin.libvirtd profile: /usr/libexec/virt-aa-helper PUxr,
Let's see :-] commit fc3adeb678e02011af18951e3868f21ac0141532 Author: Matthias Maier <tamiko@gentoo.org> Date: Thu Aug 13 22:48:09 2015 -0500 app-emulation/libvirt: fix apparmor conf in 1.2.17 and 1.2.18 (bug #554628) The libvirtd daemon also needs acces to virt-aa-helper and libvirtb_lxc helper residing under /usr/libexec. This is now fixed. Thanks to aporilel. Gentoo-Bug: 554628 Package-Manager: portage-2.2.20.1
Thanks again!
