On Mon, 2015-01-19 at 18:25 -0700, Mike Latimer wrote:
> In order for apparmor to work properly in Xen environments, the following
> access rights need to be allowed:
>
> - Allow CAP_SYS_PACCT, which is required when resetting some multi-port
> Broadcom cards by writting to the PCI config space
>
> - Allow CAP_IPC_LOCK, which is required to lock/unlock memory. Without
> this setting, an error 'Resource temporarily unavailable' can be seen
> while attempting to mmap memory. At the same time, the following
> apparmor message is seen:
>
> apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/libvirtd"
> pid=2097 comm="libvirtd" pid=2097 comm="libvirtd" capability=14
> capname="ipc_lock"
>
> - Allow access to distribution specific directories:
> /usr/{lib,lib64}/xen/bin
>
> ---
> examples/apparmor/usr.sbin.libvirtd | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
> index 7151052..9917836 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -13,6 +13,7 @@
> capability sys_admin,
> capability sys_module,
> capability sys_ptrace,
> + capability sys_pacct,
> capability sys_nice,
> capability sys_chroot,
> capability setuid,
> @@ -24,6 +25,7 @@
> capability mknod,
> capability fsetid,
> capability audit_write,
> + capability ipc_lock,
>
> # Needed for vfio
> capability sys_resource,
> @@ -45,6 +47,7 @@
> /usr/sbin/* PUx,
> /lib/udev/scsi_id PUx,
> /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
> + /usr/{lib,lib64}/xen/bin/* Ux,
>
> # force the use of virt-aa-helper
> audit deny /sbin/apparmor_parser rwxl,
ACK
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list