On 1/29/20 11:53 AM, Jamie Strandboge wrote:
> On Wed, 29 Jan 2020, Michal Privoznik wrote:
>
>> On 1/27/20 5:30 PM, Jamie Strandboge wrote:
>>> On Sat, 25 Jan 2020, Michal Privoznik wrote:
>>>
>>>> These helper binaries are installed under libexec dir not lib
>>>> dir.
>>>>
>>>> Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
>>>> ---
>>>> src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 2 +-
>>>> src/security/apparmor/usr.sbin.libvirtd | 4 ++--
>>>> 2 files changed, 3 insertions(+), 3 deletions(-)
>>>>
>>>> diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
>>>> index 11e9c039ca..504c70e0ce 100644
>>>> --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
>>>> +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
>>>> @@ -39,7 +39,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
>>>> deny /dev/mapper/ r,
>>>> deny /dev/mapper/* r,
>>>> - /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
>>>> + /usr/libexec/virt-aa-helper mr,
>>>
>>> I suggest you use this instead here and in the rest of the patch series:
>>>
>>> /usr/{lib,lib64,libexec}/libvirt/virt-aa-helper mr,
>>>
>>> since it will let existing installs to continue to work.
>>
>> You mean some downstream has installed virt-aa-helper into /usr/lib or
>> /usr/lib64? Because the upstream install rule says /usr/libexec/.
>
> Well, I was thinking the rule was what it was for a reason, so with my
> distro hat on, changing it to just libexec sounded like a potential
> pain point for upgraders. I also understand that the policy is intended
> as example policy that distros can adjust as needed, so perhaps it is ok
> to cut straight to libexec in this patchset... I don't have objections
> if you prefer to keep it as is.
With my downstream hat on I also prefer your suggestion. For better or worse,
virt-aa-helper is in /usr/lib64/libvirt/ on SUSE distros.
Regards,
Jim
