Description of problem: current apparmor profile denies qemu to change task names Version-Release number of selected component (if applicable): at least: 1.3.5; 2.0.0 How reproducible: always Steps to Reproduce: 1. use apparmor security driver 2. run virtual machine Actual results: noise in syslog (apparmor audit) example apparmor="DENIED" operation="open" profile="libvirt-cdf35917-3cf6-46ec-b41b-e906add9259f" name="/proc/3024/task/9431/comm" pid=3024 comm="qemu-system-x86" requested_mask="rw" denied_mask="rw" Expected results: -- Additional info: fix: add rule to the profile /etc/apparmor.d/abstractions/libvirt-qemu @{PROC}/@{pid}/task/*/comm rw,
I assume this is via the qemu.conf set_process_name option? FWIW the libvirt apparmor maintainers don't really follow this bug tracker, might be better to try libvir-list or file a distro bug. Or if you want to take a stab at fixing it, look at ./src/security/virt-aa-helper.c in libvirt.git
Patch sent to https://www.redhat.com/archives/libvir-list/2016-December/msg00106.html
Patch is upstream now, thanks! commit a73e7037e5a5f7af94216e2147c6ef675b2323f6 Author: intrigeri <intrigeri+libvirt> Date: Mon Dec 12 10:59:32 2016 +0000 AppArmor: allow QEMU to set_process_name.