On Tue, Jan 22, 2019 at 2:40 PM Michal Privoznik <mprivozn@xxxxxxxxxx> wrote:
>
> Both of these binaries are spawn by libvirt. Add a rule to the
> default profile to allow that.
>
> Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
> ---
> src/security/apparmor/usr.sbin.libvirtd | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd
> index 660d72abc1..8a402bd6ec 100644
> --- a/src/security/apparmor/usr.sbin.libvirtd
> +++ b/src/security/apparmor/usr.sbin.libvirtd
> @@ -98,6 +98,8 @@
> audit deny /sys/kernel/security/apparmor/.* rwxl,
> /sys/kernel/security/apparmor/profiles r,
> /usr/{lib,lib64}/libvirt/* PUxr,
> + /usr/libexec/virt-aa-helper PUxr,
> + /usr/libexec/libvirt_lxc PUxr,
> /usr/libexec/libvirt_parthelper ix,
> /usr/libexec/libvirt_iohelper ix,
In this case this would not have been that bad, as the rule above
would have covered the Debian/Ubuntu case.
But as in my former reply, now that you have made me thinking about it
I'd think we'd actually want
$(get --libexecdir )/* PUxr,
instead of all 5 lines above
> /etc/libvirt/hooks/** rmix,
> --
> 2.19.2
>
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
