Public bug reported: Apparmor isolation is great to make guest usage safer, but we have to admit that there are some cases which can't yet be handled dynamically.
For example: - https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1677398 - https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1573192 - https://gitlab.com/libvirt/libvirt/-/issues/135 So far we've always thought of implementing this as proper feature, it was too bug and so it failed to be tackled. But in one of the bugs @mwilck correctly brought up that it would already be quite an improvement to notify the user about why things fail. And I mentioned we could then hint at how to work around, with system config to allow semi-statically what dynamic apparmor would block. We already have some libvirt/apparmor in the documentation [1] and I've written suggestions for these cases here in various bugs that helped people to e.g. allow a dir path for all which allows one to use the dir pool and similar. Changing libvirt just to the extend of telling the user "arr, sorry you are trying to use X which we can't dynamically detect - please consider adding rules" should be easier than implementing all of it and help almost as much. Also adding a related section to the documentation would help further. [1]: https://documentation.ubuntu.com/server/how- to/virtualisation/libvirt/ ** Affects: libvirt (Ubuntu) Importance: Medium Status: Triaged ** Changed in: libvirt (Ubuntu) Status: New => Triaged ** Changed in: libvirt (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2097406 Title: Apparmor prevents using storage pools and hostdev networks - notify the user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/2097406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
