Did some additional research, and managed to re-load the existing profiles by executing:
root:/etc/apparmor.d/libvirt# for i in $(ls | grep -v "\.files" | grep libvirt-); do apparmor_parser -a $i; done
# apparmor_status apparmor module is loaded. 40 profiles are loaded. 40 profiles are in enforce mode. [...] libvirt-22119fd7-e5c4-20c8-7efe-e0fbb086e218 libvirt-27ddd6d3-01ec-85dd-3f3b-0f58cbff18fe libvirt-2d1c701b-d5ed-8524-4ef6-fbd12419d75e libvirt-51ef85f6-ce69-4788-9293-2af1860d45d0 libvirt-564dbb14-b9f2-4083-2b85-cd44e90ee5c6 libvirt-909b523f-78a6-01c2-8179-daebf72b9e1f libvirt-92d90b8b-b336-b73f-fb22-72a48d475445 libvirt-de951d50-6787-ec6a-754c-c5b39a2d7cd9 libvirt-ec24421d-1911-4b1b-09a8-0ece48901cb8 [...]
However, attempting to apply these to an existing pid (according to wiki @ https://help.ubuntu.com/community/AppArmor) gives:
root:/proc/23859/attr# cat current unconfined root:/proc/23859/attr# echo 'setprofile libvirt-27ddd6d3-01ec-85dd-3f3b-0f58cbff18fe' > current -bash: echo: write error: Permission denied
New machines shut down and relaunched after doing the "service apparmor restart" gets correctly confined:
# apparmor_status [...] 3 processes have profiles defined. 3 processes are in enforce mode : /usr/sbin/libvirtd (1928) /usr/sbin/named (5018) libvirt-2d1c701b-d5ed-8524-4ef6-fbd12419d75e (11214) [...] # service apparmor restart [...] 2 processes are in enforce mode : /usr/sbin/libvirtd (1928) /usr/sbin/named (5018) [...]
Did some additional research, and managed to re-load the existing profiles by executing:
root:/etc/ apparmor. d/libvirt# for i in $(ls | grep -v "\.files" | grep libvirt-); do apparmor_parser -a $i; done
# apparmor_status 22119fd7- e5c4-20c8- 7efe-e0fbb086e2 18 27ddd6d3- 01ec-85dd- 3f3b-0f58cbff18 fe 2d1c701b- d5ed-8524- 4ef6-fbd12419d7 5e 51ef85f6- ce69-4788- 9293-2af1860d45 d0 564dbb14- b9f2-4083- 2b85-cd44e90ee5 c6 909b523f- 78a6-01c2- 8179-daebf72b9e 1f 92d90b8b- b336-b73f- fb22-72a48d4754 45 de951d50- 6787-ec6a- 754c-c5b39a2d7c d9 ec24421d- 1911-4b1b- 09a8-0ece48901c b8
apparmor module is loaded.
40 profiles are loaded.
40 profiles are in enforce mode.
[...]
libvirt-
libvirt-
libvirt-
libvirt-
libvirt-
libvirt-
libvirt-
libvirt-
libvirt-
[...]
However, attempting to apply these to an existing pid (according to wiki @ https:/ /help.ubuntu. com/community/ AppArmor) gives:
root:/proc/ 23859/attr# cat current 23859/attr# echo 'setprofile libvirt- 27ddd6d3- 01ec-85dd- 3f3b-0f58cbff18 fe' > current
unconfined
root:/proc/
-bash: echo: write error: Permission denied
New machines shut down and relaunched after doing the "service apparmor restart" gets correctly confined:
# apparmor_status sbin/libvirtd (1928) 2d1c701b- d5ed-8524- 4ef6-fbd12419d7 5e (11214) sbin/libvirtd (1928)
[...]
3 processes have profiles defined.
3 processes are in enforce mode :
/usr/
/usr/sbin/named (5018)
libvirt-
[...]
# service apparmor restart
[...]
2 processes are in enforce mode :
/usr/
/usr/sbin/named (5018)
[...]