Re: [PATCH 1/4] apparmor: Fix parthelper, iohelper and virt-aa-helper paths in profiles

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Jan 22, 2019 at 2:40 PM Michal Privoznik <mprivozn@xxxxxxxxxx> wrote:
>
> These helper binaries are installed under libexec dir not lib
> dir.
>
> Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
> ---
>  src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 2 +-
>  src/security/apparmor/usr.sbin.libvirtd              | 4 ++--
>  2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
> index de9436872c..e2c336fca0 100644
> --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
> +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
> @@ -33,7 +33,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
>    deny /dev/mapper/ r,
>    deny /dev/mapper/* r,
>
> -  /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
> +  /usr/libexec/virt-aa-helper mr,

In a common Debian/Ubuntu installation those are in fact in /usr/lib/libvirt/
So this change would break us.
To me it seems the current content matches the distro's with apparmor in place.
Not sure about Suse here atm.

But if we are changing that we should consider making this dependent
on --libexecdir as this is where this path really comes from.
And Debian/Ubuntu are setting --libexecdir=\${prefix}/lib/libvirt at
config time.

>    /{usr/,}sbin/apparmor_parser Ux,
>
>    /etc/apparmor.d/libvirt/* r,
> diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd
> index f0ffc53008..660d72abc1 100644
> --- a/src/security/apparmor/usr.sbin.libvirtd
> +++ b/src/security/apparmor/usr.sbin.libvirtd
> @@ -98,8 +98,8 @@
>    audit deny /sys/kernel/security/apparmor/.* rwxl,
>    /sys/kernel/security/apparmor/profiles r,
>    /usr/{lib,lib64}/libvirt/* PUxr,
> -  /usr/{lib,lib64}/libvirt/libvirt_parthelper ix,
> -  /usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
> +  /usr/libexec/libvirt_parthelper ix,
> +  /usr/libexec/libvirt_iohelper ix,
>    /etc/libvirt/hooks/** rmix,
>    /etc/xen/scripts/** rmix,
>
> --
> 2.19.2
>


-- 
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux