Re: [libvirt] [PATCH v2] apparmor, libvirt-qemu: add default pki path of libvirt-spice
On Wed, 2017-12-20 at 12:41 +0100, Christian Ehrhardt wrote:
Adding the PKI path that is used as default suggestion in
src/qemu/qemu.conf
If people use non-default paths they should use local overrides but
the
suggested defaults we should open up.
This is the default path as referenced by src/qemu/qemu.conf in
libvirt.
While doing so merge the several places we have to cover PKI access
into
one.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1690140
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
---
examples/apparmor/libvirt-qemu | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/examples/apparmor/libvirt-qemu
b/examples/apparmor/libvirt-qemu
index fa2b753..f206f6c 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -88,8 +88,11 @@
/usr/share/qemu-efi/** r,
/usr/share/slof/** r,
- # access PKI infrastructure
- /etc/pki/libvirt-vnc/** r,
+ # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140)
+ /etc/pki/CA/ r,
+ /etc/pki/CA/* r,
+ /etc/pki/libvirt{,-spice,-vnc}/ r,
+ /etc/pki/libvirt{,-spice,-vnc}/** r,
# the various binaries
/usr/bin/kvm rmix,
@@ -156,12 +159,6 @@
/usr/{lib,lib64}/qemu/*.so mr,
/usr/lib/(a){multiarch}/qemu/*.so mr,
- # for use by libvirt-vnc (LP: #901272)
- /etc/pki/CA/ r,
- /etc/pki/CA/* r,
- /etc/pki/libvirt/ r,
- /etc/pki/libvirt/** r,
-
# for save and resume
/{usr/,}bin/dash rmix,
/{usr/,}bin/dd rmix,
+1 to apply. Thanks for the patch and intrigeri for the feedback.
--
Jamie Strandboge | http://www.canonical.com
Attachments:
- signature.asc (application/pgp-signature — 801 bytes)