On Wed, 29 Jan 2020, Michal Privoznik wrote:
> On 1/27/20 5:30 PM, Jamie Strandboge wrote:
> > On Sat, 25 Jan 2020, Michal Privoznik wrote:
> >
> > > These helper binaries are installed under libexec dir not lib
> > > dir.
> > >
> > > Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
> > > ---
> > > src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 2 +-
> > > src/security/apparmor/usr.sbin.libvirtd | 4 ++--
> > > 2 files changed, 3 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
> > > index 11e9c039ca..504c70e0ce 100644
> > > --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
> > > +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
> > > @@ -39,7 +39,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
> > > deny /dev/mapper/ r,
> > > deny /dev/mapper/* r,
> > > - /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
> > > + /usr/libexec/virt-aa-helper mr,
> >
> > I suggest you use this instead here and in the rest of the patch series:
> >
> > /usr/{lib,lib64,libexec}/libvirt/virt-aa-helper mr,
> >
> > since it will let existing installs to continue to work.
>
> You mean some downstream has installed virt-aa-helper into /usr/lib or
> /usr/lib64? Because the upstream install rule says /usr/libexec/.
Well, I was thinking the rule was what it was for a reason, so with my
distro hat on, changing it to just libexec sounded like a potential
pain point for upgraders. I also understand that the policy is intended
as example policy that distros can adjust as needed, so perhaps it is ok
to cut straight to libexec in this patchset... I don't have objections
if you prefer to keep it as is.
--
Jamie Strandboge | http://www.canonical.com
Attachment:
signature.asc
Description: PGP signature
