[Bug 1989100] Re: AppArmor DENIES swtpm pid file access
Lena Voytek
1989100 at bugs.launchpad.net
Mon Oct 24 18:45:32 UTC 2022
It looks like, do to a recent update in how libvirt handles
/run/libvirt/qemu/swtpm/*.pid, swtpm blocks it. I created a PPA for
22.10 that updates the apparmor profile, located here:
https://launchpad.net/~lvoytek/+archive/ubuntu/swtpm-fix-apparmor-
libvirt
If you would like to test it you can run the following:
$ sudo add-apt-repository ppa:lvoytek/swtpm-fix-apparmor-libvirt
$ sudo apt update
$ sudo apt upgrade
Alternatively you can add the following line to
/etc/apparmor.d/local/usr.bin.swtpm:
/run/libvirt/qemu/swtpm/*.pid rwk,
Let me know if this fixes it.
Thanks!
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/1989100
Title:
AppArmor DENIES swtpm pid file access
Status in libvirt package in Ubuntu:
Confirmed
Status in swtpm package in Ubuntu:
In Progress
Bug description:
libvirt 8.6.0-0ubuntu1
apparmor 3.0.7-1ubuntu1
One of our CI tests runs virt-install in a specific way that
ultimately fails with this in the error message:
ERROR internal error: Could not get process id of swtpm
The journal has this message:
audit: type=1400 audit(1662628523.308:121): apparmor="DENIED"
operation="file_inherit" profile="swtpm"
name="/run/libvirt/qemu/swtpm/1-VmNotInstalled-swtpm.pid" pid=13944
comm="swtpm" requested_mask="w" denied_mask="w" fsuid=118 ouid=0
This is nested virtualization. If you need the exact invocation of
virt-install, I can dig that out.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1989100/+subscriptions
More information about the foundations-bugs
mailing list