Hi Jamie,
On Thu, 2015-04-09 at 20:29 -0500, Jamie Strandboge wrote:
> On 04/09/2015 04:25 AM, Cédric Bosdonnat wrote:
> > SLES 11 has legacy qemu-kvm package, /usr/bin/qemu-kvm and
> > /usr/share/qemu-kvm need to be accessed by domains.
> > ---
> > examples/apparmor/libvirt-qemu | 9 +++++++++
> > 1 file changed, 9 insertions(+)
> >
>
> It is ok as is, but see my comments below.
>
> Acked-By: Jamie Strandboge <jamie@xxxxxxxxxxxxx>
>
> > diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> > index 7aad391..a3043dd 100644
> > --- a/examples/apparmor/libvirt-qemu
> > +++ b/examples/apparmor/libvirt-qemu
>
> ...
>
> > @@ -118,12 +120,19 @@
> > /bin/dd rmix,
> > /bin/cat rmix,
> >
> > + # for restore
> > + /bin/bash rmix,
> > +
>
> This one is curious. You have it with rmix, so it's ok though.
I didn't investigate too deeply to know why we need it. Maybe that would
be a good thing for me to do ;)
> Acked-By: Jamie Strandboge <jamie@xxxxxxxxxxxxx>
>
> > # for usb access
> > /dev/bus/usb/ r,
> > /etc/udev/udev.conf r,
> > /sys/bus/ r,
> > /sys/class/ r,
> >
> > + # nscd pieces
> > + /run/nscd/group r,
> > + /run/nscd/passwd r,
> > +
>
> These should already be in the nameservice abstraction via this rule:
> /{var/db,var/cache,var/run,run}/nscd/{passwd,group,services,host} r,
>
> which is already included by libvirt-qemu:
> #include <abstractions/nameservice>
>
> It's ok to have duplicates-- apparmor handles them, but perhaps these aren't
> actually needed?
Ouch, indeed... this rule seems more recent than what we have in SLES,
I'll remove those lines from the profile.
Thanks for the heads up.
--
Cedric
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list