Public bug reported: Reporting per chat in #apparmor . Since that suggestion I've done enough to establish its highly likely a dupe of one of the tickets I reference further down but I'm reporting so someone more experienced can determine where it should be linked to.
I'm seeing denials like this (on ubuntu 18.04) when trying to run virsh snapshot-create-as server-here --name "Auto snapshot $(date --rfc-3339=seconds)" --atomic --disk-only ; the profile does include the libvirt abstraction file which specifies rmix for that binary. is the problem that its being invoked without a full path?  type=AVC msg=audit(1597890133.739:39299): apparmor="DENIED" operation="open" profile="libvirt-a93f9c40-05ef-fa3d-d1fd-c8a36fa533a6" name=2F7661722F6C69622F6C6962766972742F696D616765732F736572766572323031392D30322E4175746F20736E617073686F7420323032302D30382D32302031323A32323A31322B31303A3030 pid=43589 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=64055 For the record, trying without spaces we have the same error. but the name of the snapshot simply isn't encoded. type=AVC msg=audit(1597891120.185:39322): apparmor="DENIED" operation="open" profile="libvirt-a93f9c40-05ef-fa3d-d1fd-c8a36fa533a6" name="/var/lib/libvirt/images/server- here.xxx661722F6C69622F6C6962661722F6C69622F6C696F6C69622F6C6962766ssssss972742xxx" pid=43589 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=64055 Further research showed that this succeeds: virsh snapshot-create-as server-02 --name "Auto snapshot $(date --rfc-3339=seconds)" --atomic So its when --disk-only becomes involved the failure occurs. that means https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1320221 and https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1004606 are likely to already indicate (if not capture) my problem. https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1417288 relates to the functionality but doesn't cover my usecase As a final point; I needed to add rwk and re run aa-enforce on the instance's profile (not libvirt-qemu). vi /etc/apparmor.d/abstractions/libvirt-qemu aa-enforce /etc/apparmor.d/libvirt/libvirt-a93f9c40-05ef-fa3d-d1fd-c8a36fa533a6 virsh snapshot-create-as server-here --name "xxx661722F6C69622F6C6962661722F6C69622F6C696F6C69622F6C6962766ssssss972742xxx" --atomic --disk-only Domain snapshot xxx661722F6C69622F6C6962661722F6C69622F6C696F6C69622F6C6962766ssssss972742xxx created It appears to me that whatever generates the .files listing should consider derived names ; it would be better than the `/var/lib/libvirt/images/** rwk,` I used in terms of confinement. disk one original: server-name-1.img disk two original: server-name-2.img disk two snapshot: server-name-2.xx22F6C69622F6C6962661722F6C69622F6C696F6C69622F6C6962766ssssss972742xxx disk one snapshot: server-name-1.xxx661722F6C69622F6C6962661722F6C69622F6C696F6C69622F6C6962766ssssss972742xxx ** Affects: libvirt (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892306 Title: virsh snapshot-create-as fails when --disk-only is specified To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1892306/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs