Adding the PKI path that is used as default suggestion in src/qemu/qemu.conf If people use non-default paths they should use local overrides but the suggested defaults we should open up. This is the default path as referenced by src/qemu/qemu.conf in libvirt. While doing so merge the several places we have to cover PKI access into one. Bug-Ubuntu: https://bugs.launchpad.net/bugs/1690140 Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> --- examples/apparmor/libvirt-qemu | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index fa2b753..f206f6c 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -88,8 +88,11 @@ /usr/share/qemu-efi/** r, /usr/share/slof/** r, - # access PKI infrastructure - /etc/pki/libvirt-vnc/** r, + # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140) + /etc/pki/CA/ r, + /etc/pki/CA/* r, + /etc/pki/libvirt{,-spice,-vnc}/ r, + /etc/pki/libvirt{,-spice,-vnc}/** r, # the various binaries /usr/bin/kvm rmix, @@ -156,12 +159,6 @@ /usr/{lib,lib64}/qemu/*.so mr, /usr/lib/@{multiarch}/qemu/*.so mr, - # for use by libvirt-vnc (LP: #901272) - /etc/pki/CA/ r, - /etc/pki/CA/* r, - /etc/pki/libvirt/ r, - /etc/pki/libvirt/** r, - # for save and resume /{usr/,}bin/dash rmix, /{usr/,}bin/dd rmix, -- 2.7.4 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
