[libvirt] [sandbox] Weird apparmor problems

Cedric Bosdonnat cbosdonnat at suse.com
Fri Oct 30 13:27:18 UTC 2015

On Fri, 2015-10-30 at 09:15 +0900, Daniel P. Berrange wrote:
> So, yes, it is normal for libvirt_lxc to access /dev/ptmx to create
> a new master PTY and to read/write to /dev/pts/NN associated with
> the file descriptor retrieved from /dev/ptmx.

After some more debugging and help from jjohansen, the problem happens
to be this commit:


When having the not-so-silly idea to mount the host / readonly in a qemu
guest (like what virt-sandbox is doing), we are adding a "deny /** w"
rule taking precedence over all rules giving write access to files
inside that path.

Would there be a clean solution for that problem? I can already teach
virt-sandbox to add the host / mount only if there is nothing else to be
mounted as /, but that wouldn't cover all cases.


More information about the libvir-list mailing list