After thinking and playing around with it, I think the rules should not be too loose. So will go with:
/usr/lib/xen-*/bin/libxl-save-helper PUx, ** Description changed: Another glitch when moving from the xm to the xl toolstack: libvirtd needs to run /usr/lib/xen-4.4/bin/libxl-save-helper but is denied by the apparmor profile. Need to add: /usr/lib/xen-4.4/bin/* PUx, to the profile. Or even generally allow /usr/lib/xen-*/bin/* PUx, which would match both xen-common/bin and any xen-<version>/bin. + + SRU Justification (for Trusty): + + Impact: Apparmor will prevent libvirt to save a Xen guest via libxl + because the helper command cannot be executed from libvirtd. + + Fix: Add the following rule to the libvirtd apparmor profile: + /usr/lib/xen-*/bin/libxl-save-helper PUx, + + Testcase: Start a (HVM) guest via libvirt, then run save (virsh). This + will fail without the additional rule but succeed when it is added. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1334195 Title: libvirt/libxl: Failing to save guest due to apparmor denial To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1334195/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs