The AppArmor profile generated by virt-aa-helper is too strict for swtpm.
This change contains 2 small fixes:
- Relax append access to swtpm's log file to permit write access instead.
Append access is insufficient because the log is opened with O_CREAT.
- Permit swtpm to acquire a lock on its lock file.
Signed-off-by: Chris Coulson <chris.coulson@xxxxxxxxxxxxx>
---
src/security/virt-aa-helper.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 326cfaf52a..3d7cc32459 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1238,10 +1238,10 @@ get_files(vahControl * ctl)
* directory, log, and PID files.
*/
virBufferAsprintf(&buf,
- " \"%s/lib/libvirt/swtpm/%s/%s/**\" rw,\n",
+ " \"%s/lib/libvirt/swtpm/%s/%s/**\" rwk,\n",
LOCALSTATEDIR, uuidstr, tpmpath);
virBufferAsprintf(&buf,
- " \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" a,\n",
+ " \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" w,\n",
LOCALSTATEDIR, ctl->def->name);
virBufferAsprintf(&buf,
" \"%s/libvirt/qemu/swtpm/%s-swtpm.pid\" rw,\n",
--
2.20.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
