On Wed, Jun 23, 2021 at 1:28 AM Jim Fehlig <jfehlig@suse.com> wrote:
I noticed the following denial when running confined VMs with the QEMU driver
type=AVC msg=audit(1623865089.263:865): apparmor="DENIED" operation="open" \ profile="virt-aa-helper" name="/etc/ssl/openssl.cnf" pid=12503 \ comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Allow reading the file by including the openssl abstraction in the virt-aa-helper profile.
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
While I don't immediately see which configuration makes virt-aa-helper need openssl it is an abstraction that isn't allowing a lot, so IMHO that should be ok to add. Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
--- src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 + 1 file changed, 1 insertion(+)
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in index 8ebb47596a..ff1d46bebe 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -2,6 +2,7 @@
profile virt-aa-helper @libexecdir@/virt-aa-helper { #include <abstractions/base> + #include <abstractions/openssl>
# needed for searching directories capability dac_override, -- 2.31.1
-- Christian Ehrhardt Staff Engineer, Ubuntu Server Canonical Ltd