Since quite a while libvirt-aa-helper triggers nss related apparmor denials like: operation="open" profile="virt-aa-helper" name="/etc/nsswitch.conf" operation="open" profile="virt-aa-helper" name="/etc/host.conf" operation="open" profile="virt-aa-helper" name="/etc/resolv.conf" operation="open" profile="virt-aa-helper" name="/etc/hosts" Rules to allow these are in Debian [1] / Ubuntu [2] since quite a while but do not seem to be specific to those distributions. There can be much more reasons than one would think to inadvertently use/trigger nameservices as can be seen in the comments in profiles/apparmor.d/abstractions/nameservice at [3]. The nameservices abstraction provides a nice and upgrade safe way to cover all of them. [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882979 [2]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674 [3]: https://gitlab.com/apparmor/apparmor Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> --- src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 + 1 file changed, 1 insertion(+) diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in index dd18c8ab89..dfc61e8de4 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -2,6 +2,7 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper { #include <abstractions/base> + #include <abstractions/nameservice> # needed for searching directories capability dac_override, -- 2.27.0
