:-) NP Seth - Yes the "local" was only for manual workarounds in this bug. And the proposed fix is in the right place for the package.
The abstractions, or generally other places for that rule are interesting. Because as I stated above while I now finally can recreate it in Focal it is gone in later versions. I was unable to find a clear sssd/libvirt change that fixed this - but chances are one of those abstractions already got a rule that now allows it. #include <abstractions/base> #include <abstractions/dbus> Neither of them leads to such a rule in >=Groovy. It really is systemd that changed. The code was indeed present in 245 (Focal) but not later. That is the code on v245 (Focal): https://github.com/systemd/systemd/blob/ea500ac513cf51bcb79a5666f1519499d029428f/src/shared/userdb.c#L1237 The whole functionality was added in v245 via https://github.com/systemd/systemd/commit/ec8e4a0ef12ff2fd393e58c335602d605d94f846 and removed in v246 via https://github.com/systemd/systemd/commit/037b0a47b0d7df09d720dda6703135117e7e0472 That explains why we only see this in Focal - it is the only version containing that mechanism. And I think it is fair to say that the switch of the underlying tech in systemd isn't backportable for an SRU (compared to the rule we propose). It now also makes sense why e.g. the non local sssd user trigger this. When calling the service through the socket of libvirt it will try to check who has called and that is exactly when the nss services will all be probed. With system 245 this also implies this generated socket to be bound. I'll have a look at further restricting the rule ... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1890858 Title: AppArmor profile causes QEMU/KVM - Not Connected To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs