On Thu, Jun 24, 2021 at 08:24:05AM -0600, Jim Fehlig wrote: > On 6/23/21 11:43 PM, Christian Ehrhardt wrote: > > On Wed, Jun 23, 2021 at 1:27 AM Jim Fehlig <jfehlig@xxxxxxxx> wrote: > > > > > > A new apparmor profile derived from the libvirtd profile, with non-QEMU > > > related rules removed. Adopt the libvirt-qemu abstraction to work with > > > the new profile. > > > > > > Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx> > > > > Thanks for your work on this, but since in the split daemon mode > > virtqemud will do the > > majority of the tasks I wonder if along this change (or later) we > > should consider > > removing rules from the libvirtd profile. > > AFAIK (at least in theory), the modular and monolithic daemons are mutually > exclusive. Either you run the desired modular daemon(s) or the monolithic > libvirtd. So the libvirtd rules need to stay IMO. > > And IIRC, Daniel has long-term plans to remove the monolithic daemon, at > which point the libvirtd profile can be dropped too. > > > It should now have less tasks and therefore need less permissions. > > Have you had the chance to take a look into that already? > > > > There is a bonus-problem though, as long as we provide the option to build > > non-split daemons we would effectively need two profiles. > > One for the monolithic libvirtd and a reduced one for the split kind. > > Agreed. We'll need both as long as we have the modular and monolithic daemons. FWIW, I when making the Fedora feature proposal[1] I stated that we intend to keep the monolithic libvirtd upstream for /at least/ 1 year, starting from when a major Linux distro has a release that defaults to the modular daemons. So that's going to be at least late 2022 before we talk about deleting libvirtd. Regards, Daniel [1] https://fedoraproject.org/wiki/Changes/LibvirtModularDaemons -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
