On 04/09/2015 04:25 AM, Cédric Bosdonnat wrote:
> SLES 11 has legacy qemu-kvm package, /usr/bin/qemu-kvm and
> /usr/share/qemu-kvm need to be accessed by domains.
> ---
> examples/apparmor/libvirt-qemu | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
It is ok as is, but see my comments below.
Acked-By: Jamie Strandboge <jamie@xxxxxxxxxxxxx>
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index 7aad391..a3043dd 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
...
> @@ -118,12 +120,19 @@
> /bin/dd rmix,
> /bin/cat rmix,
>
> + # for restore
> + /bin/bash rmix,
> +
This one is curious. You have it with rmix, so it's ok though.
Acked-By: Jamie Strandboge <jamie@xxxxxxxxxxxxx>
> # for usb access
> /dev/bus/usb/ r,
> /etc/udev/udev.conf r,
> /sys/bus/ r,
> /sys/class/ r,
>
> + # nscd pieces
> + /run/nscd/group r,
> + /run/nscd/passwd r,
> +
These should already be in the nameservice abstraction via this rule:
/{var/db,var/cache,var/run,run}/nscd/{passwd,group,services,host} r,
which is already included by libvirt-qemu:
#include <abstractions/nameservice>
It's ok to have duplicates-- apparmor handles them, but perhaps these aren't
actually needed?
--
Jamie Strandboge http://www.ubuntu.com/
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list