Public bug reported: I enable https://wiki.debian.org/ReadonlyRoot on my computer for security hardening. After rebooting, most other applications work. Many system settings become uneditable, good. However, *running* virt-manager VMs stop working. It only works when the VM is started when I `sudo mount -o remount,rw /`.
$ lsb_release -rd Description: Ubuntu 25.10 Release: 25.10 $ apt-cache policy libvirt0 libvirt0: Installé : 11.6.0-1ubuntu3.2 Candidat : 11.6.0-1ubuntu3.3 Table de version : 11.6.0-1ubuntu3.3 500 (en phase 40%) 500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu questing-updates/main amd64 Packages *** 11.6.0-1ubuntu3.2 500 500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu questing-security/main amd64 Packages 100 /var/lib/dpkg/status 11.6.0-1ubuntu3 500 500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu questing/main amd64 Packages $ apt-cache policy libvirt-daemon libvirt-daemon: Installé : 11.6.0-1ubuntu3.2 Candidat : 11.6.0-1ubuntu3.3 Table de version : 11.6.0-1ubuntu3.3 500 (en phase 40%) 500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu questing-updates/main amd64 Packages *** 11.6.0-1ubuntu3.2 500 500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu questing-security/main amd64 Packages 100 /var/lib/dpkg/status 11.6.0-1ubuntu3 500 500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu questing/main amd64 Packages # What you expected to happen The VM should start when Play is clicked in virt-manager. # What happened instead Error starting domain: internal error: cannot load AppArmor profile 'libvirt-b0d3fef7-2877-48ab-8449-ab5200efb869' Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/asyncjob.py", line 67, in cb_wrapper callback(asyncjob, *args, **kwargs) ~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/share/virt-manager/virtManager/asyncjob.py", line 101, in tmpcb callback(*args, **kwargs) ~~~~~~~~^^^^^^^^^^^^^^^^^ File "/usr/share/virt-manager/virtManager/object/libvirtobject.py", line 57, in newfn ret = fn(self, *args, **kwargs) File "/usr/share/virt-manager/virtManager/object/domain.py", line 1446, in startup self._backend.create() ~~~~~~~~~~~~~~~~~~~~^^ File "/usr/lib/python3/dist-packages/libvirt.py", line 1379, in create raise libvirtError('virDomainCreate() failed') libvirt.libvirtError: internal error: cannot load AppArmor profile 'libvirt-b0d3fef7-2877-48ab-8449-ab5200efb869' # Workaround libvirt wants to, only when running, have /etc/apparmor.d/libvirt-b0d3fef7-2877-48ab-8449-ab5200efb869.files. Symlinking that to a /var subdirectory doesn't work, perhaps due to itself virt-aa-helper/apparmor-parser being confined by AppArmor profiles. Bindmounting it works. AppArmor should allow symlinking, or like systemd, have something in /run. ProblemType: Bug DistroRelease: Ubuntu 25.10 Package: libvirt0 11.6.0-1ubuntu3.2 ProcVersionSignature: Ubuntu 6.17.0-14.14-generic 6.17.9 Uname: Linux 6.17.0-14-generic x86_64 ApportVersion: 2.33.1-0ubuntu3 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: KDE Date: Fri Feb 27 22:15:38 2026 InstallationDate: Installed on 2022-11-05 (1211 days ago) InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Release amd64 (20221020) SourcePackage: libvirt UpgradeStatus: Upgraded to questing on 2025-10-04 (146 days ago) ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Affects: libvirt (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug questing wayland-session ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2142924 Title: Cannot load AppArmor profile with ReadonlyRoot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2142924/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
