On 6/23/21 11:43 PM, Christian Ehrhardt wrote:
On Wed, Jun 23, 2021 at 1:28 AM Jim Fehlig <jfehlig@xxxxxxxx> wrote:
I noticed the following denial messages from apparmor in audit.log when
starting confined VMs via the QEMU driver
type=AVC msg=audit(1623864006.370:837): apparmor="DENIED" operation="open" \
profile="virt-aa-helper" name="/etc/libnl/classid" pid=11265 \
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1623864006.582:849): apparmor="DENIED" operation="open" \
profile="libvirt-0ca2720d-6cff-48bb-86c2-61ab9a79b6e9" \
name="/etc/libnl/classid" pid=11270 comm="qemu-system-x86" \
requested_mask="r" denied_mask="r" fsuid=107 ouid=0
It is possible for site admins to assign names to classids in this file,
which are then used by all libnl tools, possibly those used by libvirt.
To be on the safe side, allow read access to the file in the virt-aa-helper
profile and the libvirt-qemu abstraction.
Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx>
While this particular rule would be covered in
abstractions/nameservice that would allow much more.
Christian B. mentioned that in V1, and also discouraged its use for the single file.
I agree if we really only need libnl and nothing else then
adapting/adding the existing rule should be better.
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
Thanks! I've pushed 3 and 4, and after making a few more tweaks sent a V3 of the
others.
Regards,
Jim