On Mon, 03 Aug 2020, Christian Ehrhardt wrote: > Since quite a while libvirt-aa-helper triggers nss related apparmor > denials like: > operation="open" profile="virt-aa-helper" name="/etc/nsswitch.conf" > operation="open" profile="virt-aa-helper" name="/etc/host.conf" > operation="open" profile="virt-aa-helper" name="/etc/resolv.conf" > operation="open" profile="virt-aa-helper" name="/etc/hosts" > > Rules to allow these are in Debian [1] / Ubuntu [2] since quite a > while but do not seem to be specific to those distributions. > > There can be much more reasons than one would think to inadvertently > use/trigger nameservices as can be seen in the comments in > profiles/apparmor.d/abstractions/nameservice at [3]. > The nameservices abstraction provides a nice and upgrade safe > way to cover all of them. > > [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882979 > [2]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674 > [3]: https://gitlab.com/apparmor/apparmor > > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> > --- > src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in > index dd18c8ab89..dfc61e8de4 100644 > --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in > +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in > @@ -2,6 +2,7 @@ > > profile virt-aa-helper @libexecdir@/virt-aa-helper { > #include <abstractions/base> > + #include <abstractions/nameservice> nameservice brings in network rules so this is actually a lot of access. Why is it reaching out to nss? Is it just cause some library happens to look at /etc/nsswitch.conf and pull in other things or does it actually need networking? I suspect the former. If my suspicion is true, perhaps instead: # virt-aa-helper dependent libraries read (and if successful, other # files) but virt-aa-helper itself doesn't require the access, so # silence the denial. deny /etc/nsswitch.conf r, -- Jamie Strandboge | http://www.canonical.com