<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Aug 7, 2020 at 6:14 PM Daniel P. Berrangé <<a href="mailto:berrange@redhat.com">berrange@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Fri, Aug 07, 2020 at 12:21:20PM +0200, Christian Ehrhardt wrote:<br>
> With qemu 5.0 and libvirt 6.6 there are new apparmor denials:<br>
>   apparmor="DENIED" operation="umount" profile="libvirtd"<br>
>   name="/run/libvirt/qemu/<a href="http://1-kvmguest-groovy-norm.dev/" rel="noreferrer" target="_blank">1-kvmguest-groovy-norm.dev/</a>" comm="rpc-worker"<br>
> <br>
> These are related to new issues around devmapper handling [1] and the<br>
> error path triggered by these issues now causes this new denial.<br>
> <br>
> There are already related rules for mounting and it seems right to<br>
> allow also the related umount.<br>
> <br>
> [1]: <a href="https://www.redhat.com/archives/libvir-list/2020-August/msg00236.html" rel="noreferrer" target="_blank">https://www.redhat.com/archives/libvir-list/2020-August/msg00236.html</a><br>
> <br>
> Signed-off-by: Christian Ehrhardt <<a href="mailto:christian.ehrhardt@canonical.com" target="_blank">christian.ehrhardt@canonical.com</a>><br>
> ---<br>
>  src/security/apparmor/<a href="http://usr.sbin.libvirtd.in" rel="noreferrer" target="_blank">usr.sbin.libvirtd.in</a> | 1 +<br>
>  1 file changed, 1 insertion(+)<br>
<br>
Reviewed-by: Daniel P. Berrangé <<a href="mailto:berrange@redhat.com" target="_blank">berrange@redhat.com</a>><br></blockquote><div><br></div><div>Thanks for the review - there was no negative feedback so far and in tests this worked fine.</div><div>I'm committing the changes to not be postponed to close to the next release.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Regards,<br>
Daniel<br>
-- <br>
|: <a href="https://berrange.com" rel="noreferrer" target="_blank">https://berrange.com</a>      -o-    <a href="https://www.flickr.com/photos/dberrange" rel="noreferrer" target="_blank">https://www.flickr.com/photos/dberrange</a> :|<br>
|: <a href="https://libvirt.org" rel="noreferrer" target="_blank">https://libvirt.org</a>         -o-            <a href="https://fstop138.berrange.com" rel="noreferrer" target="_blank">https://fstop138.berrange.com</a> :|<br>
|: <a href="https://entangle-photo.org" rel="noreferrer" target="_blank">https://entangle-photo.org</a>    -o-    <a href="https://www.instagram.com/dberrange" rel="noreferrer" target="_blank">https://www.instagram.com/dberrange</a> :|<br>
<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">Christian Ehrhardt<br>Staff Engineer, Ubuntu Server<br>Canonical Ltd</div></div>