[PATCH 3/8] apparmor: allow virt-aa-helper nameservices

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Since quite a while libvirt-aa-helper triggers nss related apparmor
denials like:
 operation="open" profile="virt-aa-helper" name="/etc/nsswitch.conf"
 operation="open" profile="virt-aa-helper" name="/etc/host.conf"
 operation="open" profile="virt-aa-helper" name="/etc/resolv.conf"
 operation="open" profile="virt-aa-helper" name="/etc/hosts"

Rules to allow these are in Debian [1] / Ubuntu [2] since quite a
while but do not seem to be specific to those distributions.

There can be much more reasons than one would think to inadvertently
use/trigger nameservices as can be seen in the comments in
profiles/apparmor.d/abstractions/nameservice at [3].
The nameservices abstraction provides a nice and upgrade safe
way to cover all of them.

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882979
[2]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674
[3]: https://gitlab.com/apparmor/apparmor

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
---
 src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
index dd18c8ab89..dfc61e8de4 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -2,6 +2,7 @@
 
 profile virt-aa-helper @libexecdir@/virt-aa-helper {
   #include <abstractions/base>
+  #include <abstractions/nameservice>
 
   # needed for searching directories
   capability dac_override,
-- 
2.27.0




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux