On Wed, 2015-01-21 at 22:32 -0700, Mike Latimer wrote:
> On Tuesday, January 20, 2015 09:08:04 AM Cedric Bosdonnat wrote:
> > On Mon, 2015-01-19 at 18:25 -0700, Mike Latimer wrote:
> > > Apparmor must not prevent access to required helper programs. The
> > > following
> > >
> > > helpers should be allowed to run in unconfined execution mode:
> > > - libvirt_parthelper
> > > - libvirt_iohelper
> > >
> > > ---
> > >
> > > examples/apparmor/usr.sbin.libvirtd | 2 ++
> > > 1 file changed, 2 insertions(+)
> > >
> > > diff --git a/examples/apparmor/usr.sbin.libvirtd
> > > b/examples/apparmor/usr.sbin.libvirtd index 9917836..ab6572a 100644
> > > --- a/examples/apparmor/usr.sbin.libvirtd
> > > +++ b/examples/apparmor/usr.sbin.libvirtd
> > > @@ -57,6 +57,8 @@
> > >
> > > audit deny /sys/kernel/security/apparmor/.* rwxl,
> > > /sys/kernel/security/apparmor/profiles r,
> > > /usr/{lib,lib64}/libvirt/* PUxr,
> > >
> > > + /usr/{lib,lib64}/libvirt/libvirt_parthelper Ux,
> > > + /usr/{lib,lib64}/libvirt/libvirt_iohelper Ux,
> > >
> > > /etc/libvirt/hooks/** rmix,
> > > /etc/xen/scripts/** rmix,
> >
> > Can't we find a way to have them run with inherited profile (ix)?
> > Letting them run completely unprofiled may not be the best solution.
>
> Seems like the apparmor profile for libvirtd is pretty wide open, so I'm not
> sure if there will be much of a difference between those two settings. I'm also
> not sure how best to test the functionality of those helpers to find out...
>
> I don't mind if the patch is committed with ix. We can always change it later
> if we find a definitive reason to use Ux. ;)
Jamie, as apparmor expert, do you have any opinion on this?
--
Cedric
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list