On Wed, Jun 23, 2021 at 1:28 AM Jim Fehlig <jfehlig@xxxxxxxx> wrote:
>
> I noticed the following denial when running confined VMs with the QEMU
> driver
>
> type=AVC msg=audit(1623865089.263:865): apparmor="DENIED" operation="open" \
> profile="virt-aa-helper" name="/etc/ssl/openssl.cnf" pid=12503 \
> comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
>
> Allow reading the file by including the openssl abstraction in the
> virt-aa-helper profile.
>
> Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx>
While I don't immediately see which configuration makes virt-aa-helper
need openssl it is an abstraction that isn't allowing a lot, so IMHO
that should be ok to add.
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
> ---
> src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> index 8ebb47596a..ff1d46bebe 100644
> --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> @@ -2,6 +2,7 @@
>
> profile virt-aa-helper @libexecdir@/virt-aa-helper {
> #include <abstractions/base>
> + #include <abstractions/openssl>
>
> # needed for searching directories
> capability dac_override,
> --
> 2.31.1
>
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
