Re: [PATCH 2/3] Grant access to helpers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tuesday, January 20, 2015 09:08:04 AM Cedric Bosdonnat wrote:
> On Mon, 2015-01-19 at 18:25 -0700, Mike Latimer wrote:
> > Apparmor must not prevent access to required helper programs. The
> > following
> > 
> > helpers should be allowed to run in unconfined execution mode:
> >  - libvirt_parthelper
> >  - libvirt_iohelper
> > 
> > ---
> > 
> >  examples/apparmor/usr.sbin.libvirtd | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/examples/apparmor/usr.sbin.libvirtd
> > b/examples/apparmor/usr.sbin.libvirtd index 9917836..ab6572a 100644
> > --- a/examples/apparmor/usr.sbin.libvirtd
> > +++ b/examples/apparmor/usr.sbin.libvirtd
> > @@ -57,6 +57,8 @@
> > 
> >    audit deny /sys/kernel/security/apparmor/.* rwxl,
> >    /sys/kernel/security/apparmor/profiles r,
> >    /usr/{lib,lib64}/libvirt/* PUxr,
> > 
> > +  /usr/{lib,lib64}/libvirt/libvirt_parthelper Ux,
> > +  /usr/{lib,lib64}/libvirt/libvirt_iohelper Ux,
> > 
> >    /etc/libvirt/hooks/** rmix,
> >    /etc/xen/scripts/** rmix,
> 
> Can't we find a way to have them run with inherited profile (ix)?
> Letting them run completely unprofiled may not be the best solution.

Seems like the apparmor profile for libvirtd is pretty wide open, so I'm not 
sure if there will be much of a difference between those two settings. I'm also 
not sure how best to test the functionality of those helpers to find out...

I don't mind if the patch is committed with ix. We can always change it later 
if we find a definitive reason to use Ux. ;)

Thanks,
Mike

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]