On Thu, 2017-10-26 at 08:39 -0500, Jamie Strandboge wrote:
On Thu, 2017-10-26 at 10:22 +0000, intrigeri+libvirt(a)boum.org wrote:
> diff --git a/examples/apparmor/usr.sbin.libvirtd
> b/examples/apparmor/usr.sbin.libvirtd
> index 819068ffc3..eb24726e08 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -30,10 +30,13 @@
> # Needed for vfio
> capability sys_resource,
>
> + mount,
> +
This is interesting since the Ubuntu profile is missing mount rules.
What specific denials/libvirt actions prompted this rule?
Responding to myself now that I read the SUSE bug. I actually suggest
using the fine-grained rules in the SUSE patch because it is much
easier to add more rules for more access than to take them away. These
rules are in the 'examples' directory so I think it is expected that a
distribution may need to tailor them from time to time (hopefully
upstreaming their changes! :).
--
Jamie Strandboge |
http://www.canonical.com