On 1/22/19 1:01 PM, Jamie Strandboge wrote:
On Mon, 14 Jan 2019, Jim Fehlig wrote:Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx> --- Optional patch that may need a bit of coorindation with upstream apparmor since the dnsmasq profile currently has 'peer=/usr/sbin/libvirtd'. src/security/apparmor/usr.sbin.libvirtd | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd index 0db52c524c..29f9936ad9 100644 --- a/src/security/apparmor/usr.sbin.libvirtd +++ b/src/security/apparmor/usr.sbin.libvirtd @@ -2,7 +2,7 @@ #include <tunables/global> @{LIBVIRT}="libvirt"-/usr/sbin/libvirtd flags=(attach_disconnected) {+profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { #include <abstractions/base> #include <abstractions/dbus>@@ -51,7 +51,7 @@unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),ptrace (read,trace) peer=unconfined,- ptrace (read,trace) peer=/usr/sbin/libvirtd, + ptrace (read,trace) peer=@{profile_name}, ptrace (read,trace) peer=dnsmasq, ptrace (read,trace) peer=/usr/sbin/dnsmasq, ptrace (read,trace) peer=libvirt-*, @@ -123,6 +123,7 @@ # For communication/control from libvirtd unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), signal (receive) set=("term") peer=/usr/sbin/libvirtd, + signal (receive) set=("term") peer=libvirtd,/dev/net/tun rw,/etc/qemu/** r,This also LGTM. It'd be nice if there was a mechanism to specify the parent profile like we can the current profile, but we can't now and this is fine.
Thanks for reviewing these patches! I've pushed them now. Regards, Jim -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
