On 1/22/19 3:14 PM, Christian Ehrhardt wrote:
On Tue, Jan 22, 2019 at 2:40 PM Michal Privoznik <mprivozn@redhat.com> wrote:
Both of these binaries are spawn by libvirt. Add a rule to the default profile to allow that.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/security/apparmor/usr.sbin.libvirtd | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd index 660d72abc1..8a402bd6ec 100644 --- a/src/security/apparmor/usr.sbin.libvirtd +++ b/src/security/apparmor/usr.sbin.libvirtd @@ -98,6 +98,8 @@ audit deny /sys/kernel/security/apparmor/.* rwxl, /sys/kernel/security/apparmor/profiles r,
/usr/{lib,lib64}/libvirt/* PUxr, + /usr/libexec/virt-aa-helper PUxr, + /usr/libexec/libvirt_lxc PUxr, /usr/libexec/libvirt_parthelper ix, /usr/libexec/libvirt_iohelper ix,
In this case this would not have been that bad, as the rule above would have covered the Debian/Ubuntu case. But as in my former reply, now that you have made me thinking about it I'd think we'd actually want $(get --libexecdir )/* PUxr, instead of all 5 lines above
This will work if all the binaries are placed in a separate folder. However, if they are not and live right under libexec/ dir I don't think it would be safe to allow just any binary from the dir. Michal