On Fri, 01 Mar 2019, Jim Fehlig wrote: > Commit a3ab6d42 changed the libvirtd profile to a named profile > but neglected to accommodate the change in the qemu profile > ptrace and signal rules. As a result, libvirtd is unable to > signal confined qemu processes and hence unable to shutdown > or destroy VMs. > > Add ptrace and signal rules that reference the libvirtd profile > by name in addition to full binary path. > > Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx> > --- > src/security/apparmor/libvirt-qemu | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu > index 7d28faa163..474aaefdf8 100644 > --- a/src/security/apparmor/libvirt-qemu > +++ b/src/security/apparmor/libvirt-qemu > @@ -16,8 +16,10 @@ > network inet stream, > network inet6 stream, > > + ptrace (readby, tracedby) peer=libvirtd, > ptrace (readby, tracedby) peer=/usr/sbin/libvirtd, > > + signal (receive) peer=libvirtd, > signal (receive) peer=/usr/sbin/libvirtd, > > /dev/net/tun rw, +1 to commit -- Jamie Strandboge | http://www.canonical.com
Attachment:
signature.asc
Description: PGP signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list