On Tue, Jan 22, 2019 at 03:09:17PM +0100, Christian Ehrhardt wrote:
> On Tue, Jan 22, 2019 at 2:40 PM Michal Privoznik <mprivozn@xxxxxxxxxx> wrote:
> >
> > These helper binaries are installed under libexec dir not lib
> > dir.
> >
> > Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
> > ---
> > src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 2 +-
> > src/security/apparmor/usr.sbin.libvirtd | 4 ++--
> > 2 files changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
> > index de9436872c..e2c336fca0 100644
> > --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
> > +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
> > @@ -33,7 +33,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
> > deny /dev/mapper/ r,
> > deny /dev/mapper/* r,
> >
> > - /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
> > + /usr/libexec/virt-aa-helper mr,
>
> In a common Debian/Ubuntu installation those are in fact in /usr/lib/libvirt/
> So this change would break us.
> To me it seems the current content matches the distro's with apparmor in place.
> Not sure about Suse here atm.
>
> But if we are changing that we should consider making this dependent
> on --libexecdir as this is where this path really comes from.
> And Debian/Ubuntu are setting --libexecdir=\${prefix}/lib/libvirt at
> config time.
Agreed any path in the apparmour profile that is related to libvirt
should be a variable that is substited in at build time to take account
of possible distro differences.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
