On Thu, 2017-10-26 at 08:39 -0500, Jamie Strandboge wrote: > On Thu, 2017-10-26 at 10:22 +0000, intrigeri+libvirt@xxxxxxxx wrote: > > diff --git a/examples/apparmor/usr.sbin.libvirtd > > b/examples/apparmor/usr.sbin.libvirtd > > index 819068ffc3..eb24726e08 100644 > > --- a/examples/apparmor/usr.sbin.libvirtd > > +++ b/examples/apparmor/usr.sbin.libvirtd > > @@ -30,10 +30,13 @@ > > # Needed for vfio > > capability sys_resource, > > > > + mount, > > + > > This is interesting since the Ubuntu profile is missing mount rules. > What specific denials/libvirt actions prompted this rule? > Responding to myself now that I read the SUSE bug. I actually suggest using the fine-grained rules in the SUSE patch because it is much easier to add more rules for more access than to take them away. These rules are in the 'examples' directory so I think it is expected that a distribution may need to tailor them from time to time (hopefully upstreaming their changes! :). -- Jamie Strandboge | http://www.canonical.com
Attachment:
signature.asc
Description: This is a digitally signed message part
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
