<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Hi, sorry for my late reply.<br>
    </p>
    <div class="moz-cite-prefix">On 2018年08月03日 20:42, Guido Günther
      wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:20180803124209.GA11561@bogon.m.sigxcpu.org">
      <pre wrap="">Hi,
thanks. Some comments inline below:

On Fri, Aug 03, 2018 at 08:23:21PM +0800, Haruki TSURUMOTO wrote:
</pre>
      <blockquote type="cite">
        <pre wrap="">Hi,

On 2018年08月03日 19:58, Guido Günther wrote:
</pre>
        <blockquote type="cite">
          <pre wrap="">Hi,
On Fri, Aug 03, 2018 at 07:31:33PM +0800, Haruki TSURUMOTO wrote:
</pre>
          <blockquote type="cite">
            <pre wrap="">Package: libvirt-daemon-system
Version: 3.0.0-4+deb9u3
Severity: normal
X-Debbugs-Cc: <a class="moz-txt-link-abbreviated" href="mailto:apparmor@packages.debian.org">apparmor@packages.debian.org</a>

Dear maintainers, (CCed: apparmor-maintainers)

I had enabled AppArmor on my debian stretch machine.
I found some libvirt's open operations are DENIED by apparmor.
Please see below.

```
Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.503726] audit: type=1400
audit(1532950522.067:41): apparmor="DENIED" operation="open"
profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
name="/sys/devices/system/node/" pid=1307 comm="qemu-system-x86"
requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.503778] audit: type=1400
audit(1532950522.067:42): apparmor="DENIED" operation="open"
profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
name="/sys/devices/system/cpu/" pid=1307 comm="qemu-system-x86"
requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.538158] audit: type=1400
audit(1532950522.103:43): apparmor="DENIED" operation="open"
profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
name="/sys/module/vhost/parameters/max_mem_regions" pid=1307
comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.393592] audit: type=1400
audit(1532950536.959:46): apparmor="DENIED" operation="open"
profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f"
name="/sys/devices/system/node/" pid=1376 comm="qemu-system-x86"
requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.393648] audit: type=1400
audit(1532950536.959:47): apparmor="DENIED" operation="open"
profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f"
name="/sys/devices/system/cpu/" pid=1376 comm="qemu-system-x86"
requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.404634] audit: type=1400
audit(1532950536.967:48): apparmor="DENIED" operation="open"
profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f"
name="/sys/module/vhost/parameters/max_mem_regions" pid=1376
comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jul 31 12:51:24 debian-tsr-nuc1 kernel: [58602.024293] audit: type=1400
audit(1533009084.686:49): apparmor="DENIED" operation="open"
profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
name="/proc/548/cmdline" pid=1307 comm="qemu-system-x86" requested_mask="r"
denied_mask="r" fsuid=64055 ouid=0
```

These policy conflicts were fixed in upstream.

I attached a patch which backported from these commit.
<a class="moz-txt-link-freetext" href="https://libvirt.org/git/?p=libvirt.git;a=commit;h=e7f5d627f93c1c71260d2a795a1227b16b0d3186">https://libvirt.org/git/?p=libvirt.git;a=commit;h=e7f5d627f93c1c71260d2a795a1227b16b0d3186</a>
<a class="moz-txt-link-freetext" href="https://libvirt.org/git/?p=libvirt.git;a=commit;h=0af5ced4b81b68be7016d1f8755db3d0c3249278">https://libvirt.org/git/?p=libvirt.git;a=commit;h=0af5ced4b81b68be7016d1f8755db3d0c3249278</a>

Would you apply this patch for stretch?
</pre>
          </blockquote>
          <pre wrap="">Can you provide debdiff for a fixed package?
  -- Guido
</pre>
        </blockquote>
        <pre wrap="">debdiff is here:
</pre>
      </blockquote>
      <pre wrap="">Is this a *tested* dediff?</pre>
    </blockquote>
    Yes, I installed own build package, and tested it.<br>
    <br>
    I attach new debdiff.<br>
    Is this qualifying for condition?<br>
  </body>
</html>