On 1/22/19 3:14 PM, Christian Ehrhardt wrote:
> On Tue, Jan 22, 2019 at 2:40 PM Michal Privoznik <mprivozn@xxxxxxxxxx> wrote:
>>
>> Both of these binaries are spawn by libvirt. Add a rule to the
>> default profile to allow that.
>>
>> Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
>> ---
>> src/security/apparmor/usr.sbin.libvirtd | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd
>> index 660d72abc1..8a402bd6ec 100644
>> --- a/src/security/apparmor/usr.sbin.libvirtd
>> +++ b/src/security/apparmor/usr.sbin.libvirtd
>> @@ -98,6 +98,8 @@
>> audit deny /sys/kernel/security/apparmor/.* rwxl,
>> /sys/kernel/security/apparmor/profiles r,
>
>
>> /usr/{lib,lib64}/libvirt/* PUxr,
>> + /usr/libexec/virt-aa-helper PUxr,
>> + /usr/libexec/libvirt_lxc PUxr,
>> /usr/libexec/libvirt_parthelper ix,
>> /usr/libexec/libvirt_iohelper ix,
>
> In this case this would not have been that bad, as the rule above
> would have covered the Debian/Ubuntu case.
> But as in my former reply, now that you have made me thinking about it
> I'd think we'd actually want
> $(get --libexecdir )/* PUxr,
> instead of all 5 lines above
>
This will work if all the binaries are placed in a separate folder.
However, if they are not and live right under libexec/ dir I don't think
it would be safe to allow just any binary from the dir.
Michal
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
