@ClaudeD, could you please list either a kvm command line or a virsh dumpxml output (or both) for a domain that has trouble? I tried to reproduce jsut passing in a yubikey, but had no permission problems.
(in my test, the kvm command was started with specific hostbus=2,hostaddr=4 information, so presumably you're passing in something more generic which requires qemu to look for host info...) ** Also affects: libvirt (Ubuntu Saucy) Importance: Undecided Status: New ** Description changed: + ============================= + SRU Justification: + 1. Impact: usb devices can't be used under libvirt kvm guests + 2. Development fix: allow libvirt to have read access to some information it now insists on having. + 3. Stable fix: cherrypick of dev fix + 4. Test case: create a libvirt VM with a usb device passed from the host + 5. Regression potential: This allows libvirt to see a bit more host system information, however the security team sees no problem with it. + ============================== + Upgraded a 13.04 64 bit to 13.10. Before the upgrade, I had KVM guest with usb devices working well. Since the upgrade, apparmor blocks access to usb devices with the following errors : Oct 27 14:17:29 laptop kernel: [ 5771.844806] type=1400 audit(1382897849.445:339): apparmor="DENIED" operation="open" parent=1 profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/bus/usb/" pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Oct 27 14:17:29 laptop kernel: [ 5771.844847] type=1400 audit(1382897849.445:340): apparmor="DENIED" operation="open" parent=1 profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/" pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Oct 27 14:17:29 laptop kernel: [ 5771.844947] type=1400 audit(1382897849.445:341): apparmor="DENIED" operation="open" parent=1 profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/bus/usb/" pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Oct 27 14:17:29 laptop kernel: [ 5771.844967] type=1400 audit(1382897849.445:342): apparmor="DENIED" operation="open" parent=1 profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/" pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Oct 27 14:17:29 laptop kernel: [ 5771.845051] type=1400 audit(1382897849.445:343): apparmor="DENIED" operation="open" parent=1 profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/bus/usb/" pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Oct 27 14:17:29 laptop kernel: [ 5771.845069] type=1400 audit(1382897849.445:344): apparmor="DENIED" operation="open" parent=1 profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/" pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 The profile looks fine : /etc/apparmor.d/libvirt/libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee: # # This profile is for the domain whose UUID matches this file. # #include <tunables/global> profile libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee { #include <abstractions/libvirt-qemu> #include <libvirt/libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee.files> } /etc/apparmor.d/libvirt/libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee.files: # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. "/var/log/libvirt/**/windows-xp.log" w, "/var/lib/libvirt/**/windows-xp.monitor" rw, "/var/run/libvirt/**/windows-xp.pid" rwk, "/run/libvirt/**/windows-xp.pid" rwk, "/var/run/libvirt/**/*.tunnelmigrate.dest.windows-xp" rw, "/run/libvirt/**/*.tunnelmigrate.dest.windows-xp" rw, "/home/vm/windowsxp.img" rw, "/dev/bus/usb/002/012" rw, "/dev/bus/usb/002/011" rw, "/dev/bus/usb/002/007" rw, ** Changed in: libvirt (Ubuntu Saucy) Importance: Undecided => High ** Changed in: libvirt (Ubuntu Saucy) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1245251 Title: Apparmor blocks usb devices in libvirt in Saucy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1245251/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs