Re: [PATCH 4/6] apparmor: Rename virt-aa-helper profile
On Sat, 25 Jan 2020, Michal Privoznik wrote:
The profile name should reflect the path under which the binary
it describes is installed.
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/security/Makefile.inc.am | 10 +++++-----
...bvirt.virt-aa-helper => usr.libexec.virt-aa-helper} | 4 ++--
2 files changed, 7 insertions(+), 7 deletions(-)
rename src/security/apparmor/{usr.lib.libvirt.virt-aa-helper =>
usr.libexec.virt-aa-helper} (93%)
diff --git a/src/security/Makefile.inc.am b/src/security/Makefile.inc.am
index 6fe9d50f29..02efefd6d6 100644
--- a/src/security/Makefile.inc.am
+++ b/src/security/Makefile.inc.am
@@ -38,7 +38,7 @@ EXTRA_DIST += \
security/apparmor/TEMPLATE.lxc \
security/apparmor/libvirt-qemu \
security/apparmor/libvirt-lxc \
- security/apparmor/usr.lib.libvirt.virt-aa-helper \
+ security/apparmor/usr.libexec.virt-aa-helper \
security/apparmor/usr.sbin.libvirtd \
$(NULL)
@@ -91,7 +91,7 @@ endif WITH_SECDRIVER_APPARMOR
if WITH_APPARMOR_PROFILES
apparmordir = $(sysconfdir)/apparmor.d/
apparmor_DATA = \
- security/apparmor/usr.lib.libvirt.virt-aa-helper \
+ security/apparmor/usr.libexec.virt-aa-helper \
security/apparmor/usr.sbin.libvirtd \
$(NULL)
@@ -111,11 +111,11 @@ APPARMOR_LOCAL_DIR = "$(DESTDIR)$(apparmordir)/local"
install-apparmor-local:
$(MKDIR_P) "$(APPARMOR_LOCAL_DIR)"
echo "# Site-specific additions and overrides for \
- 'usr.lib.libvirt.virt-aa-helper'" \
- >"$(APPARMOR_LOCAL_DIR)/usr.lib.libvirt.virt-aa-helper"
+ 'usr.libexec.virt-aa-helper'" \
+ >"$(APPARMOR_LOCAL_DIR)/usr.libexec.virt-aa-helper"
uninstall-apparmor-local:
- rm -f "$(APPARMOR_LOCAL_DIR)/usr.lib.libvirt.virt-aa-helper"
+ rm -f "$(APPARMOR_LOCAL_DIR)/usr.libexec.virt-aa-helper"
rmdir "$(APPARMOR_LOCAL_DIR)" || :
INSTALL_DATA_LOCAL += install-apparmor-local
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
b/src/security/apparmor/usr.libexec.virt-aa-helper
similarity index 93%
rename from src/security/apparmor/usr.lib.libvirt.virt-aa-helper
rename to src/security/apparmor/usr.libexec.virt-aa-helper
index 504c70e0ce..25754037e1 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/src/security/apparmor/usr.libexec.virt-aa-helper
@@ -1,7 +1,7 @@
# Last Modified: Mon Apr 5 15:10:27 2010
#include <tunables/global>
-profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
+profile virt-aa-helper /usr/libexec/virt-aa-helper {
I suggest using this for the previous reasons:
profile virt-aa-helper /usr/{lib,lib64,libexec}/libvirt/virt-aa-helper {
The filename rename is fine though (the filename doesn't have to match
the profile name or binary attachment, so picking what we expect to be
the normal use case is fine).
#include <abstractions/base>
# needed for searching directories
@@ -70,5 +70,5 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
/**.[iI][sS][oO] r,
/**/disk{,.*} r,
- #include <local/usr.lib.libvirt.virt-aa-helper>
+ #include <local/usr.libexec.virt-aa-helper>
}
--
2.24.1
--
Jamie Strandboge | http://www.canonical.com