On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote:
> From: Jamie Strandboge <jamie@xxxxxxxxxx>
>
> This is required for the ebtables functionality added in
> libvirt 0.8.0.
>
> Signed-off-by: Stefan Bader <stefan.bader@xxxxxxxxxxxxx>
> ---
> examples/apparmor/usr.sbin.libvirtd | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/examples/apparmor/usr.sbin.libvirtd
> b/examples/apparmor/usr.sbin.libvirtd
> index 8d61d15..2b6b33a 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -76,6 +76,10 @@
> /usr/{lib,lib64}/xen/bin/* Ux,
> /usr/lib/xen-*/bin/libxl-save-helper PUx,
>
> + # Required by
> nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
> + # write and run an ebtables script.
> + /var/lib/libvirt/virtd* ixr,
> +
s/write and run/read and run/, then +1 to apply. The ixr rule makes it
so anything that is executed in there inherits this profile. This
profile is of course super-lenient, but the ix means if in the future
we choose to go more strict, the virtd scripts will also be affected.
--
Jamie Strandboge | http://www.canonical.comAttachment:
signature.asc
Description: This is a digitally signed message part
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
