[PATCH 2/2] apparmor: allow unmounting .dev entries

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



With qemu 5.0 and libvirt 6.6 there are new apparmor denials:
  apparmor="DENIED" operation="umount" profile="libvirtd"
  name="/run/libvirt/qemu/1-kvmguest-groovy-norm.dev/" comm="rpc-worker"

These are related to new issues around devmapper handling [1] and the
error path triggered by these issues now causes this new denial.

There are already related rules for mounting and it seems right to
allow also the related umount.

[1]: https://www.redhat.com/archives/libvir-list/2020-August/msg00236.html

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
---
 src/security/apparmor/usr.sbin.libvirtd.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
index 1e137039e9..7c48b36e3d 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -31,6 +31,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
 
   mount options=(rw,rslave)  -> /,
   mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
+  umount /{var/,}run/libvirt/qemu/*.dev/,
 
   # libvirt provides any mounts under /dev to qemu namespaces
   mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/,
-- 
2.27.0




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux