Re: [libvirt PATCH] apparmor: Allow running /usr/libexec/qemu-kvm

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Nov 03, 2022 at 12:13:53 +0100, Andrea Bolognani wrote:
> Distros that use AppArmor, such as Debian and Ubuntu, install
> QEMU under /usr/bin/qemu-system-*, and our AppArmor profile is
> written with that assumption in mind.
> 
> If you try to run the RHEL or CentOS version of libvirt and
> QEMU inside a privileged container on such distros, however,
> that will result in an error, because the path
> /usr/libexec/qemu-kvm is used instead.

So IIUC by this patch you modify the profile which gets installed into
the Debian/Ubuntu host system by the Debian/Ubuntu package which then in
turn allows the non-Debian/Ubuntu libvirt in the container to do it's
job?

I'm basing the above on the fact that the RHEL/Centos package is
compiled with:

           -Dapparmor=disabled \
           -Dapparmor_profiles=disabled \
           -Dsecdriver_apparmor=disabled \

By extension, does that mean that you have to install libvirt on your
host so that you can in turn run a container (which I'd presume is
opaque) with libvirt bundled inside?




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux