apparmor DENIED on domain shutdown

Jim Fehlig jfehlig at suse.com
Sat Dec 5 16:23:42 UTC 2020 

On 12/4/20 1:21 AM, Francesc Guasch wrote:
> On 03/12/2020 19:20, Jim Fehlig wrote:
>> On 12/3/20 4:42 AM, Francesc Guasch wrote:
>>> Hi. I upgraded one of my servers to Ubuntu 20.04. Since then domains
>>> won't shutdown. They are in the "in shutdown" state.
>>>
>>> I see this message in the logs:
>>>
>>> kernel: [740222.848210] audit: type=1400 audit(1606983397.013:338): 
>>> apparmor="DENIED" operation="signal" 
>>> profile="libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878" pid=2375 
>>> comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term 
>>> peer="libvirtd"
>>
>> Are you using lxc? I recently posted a patch allowing lxc domains to receive 
>> signals from libvirtd
>>
>> https://www.redhat.com/archives/libvir-list/2020-December/msg00187.html
>>
> 
> Jim ! I am not using LXC, but KVM. That worked like a charm. For the
> record that is exactly what I changed:
> 
> I added to the file :
> 
>      /etc/apparmor.d/usr.sbin.libvirtd
> 
> below:
> 
>      # For communication/control from libvirtd
> 
>      signal (receive) peer=libvirtd,
>      signal (receive) peer=/usr/sbin/libvirtd

I'm no apparmor expert, but this doesn't make sense to me. You've added a rule 
to the libvirtd profile allowing libvirtd to receive signals from libvirtd :-).

Let's look again at your apparmor denied message

 > kernel: [740222.848210] audit: type=1400 audit(1606983397.013:338):
 > apparmor="DENIED" operation="signal"
 > profile="libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878" pid=2375
 > comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term
 > peer="libvirtd"

This essentially says profile libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878 was 
denied receiving SIGTERM from libvirtd. Profile 
libvirt-a2c1456f-3371-49eb-9fa4-f8576ca4e878 is created at VM start. It contains 
rules allowing the VM process access to resources it uses from the host, e.g. a 
path on the host where the VM's disk image resides. The profile also includes 
the <abstractions/libvirt-qemu> profile, which contains rules applicable to all 
VM processes. As I understand it, the abstraction is where you want to place the 
rules. On your system that is likely /etc/apparmor.d/abstractions/libvirt-qemu.

Regards,
Jim

More information about the libvirt-users mailing list