On Tue, Feb 04, 2020 at 10:24:07AM +0100, Michal Privoznik wrote:
On 2/3/20 5:50 PM, Daniel P. Berrangé wrote:
On Thu, Jan 30, 2020 at 03:12:31PM +0100, Michal Privoznik wrote:
Both of these binaries are spawn by libvirt. Add a rule to the default profile to allow that.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/security/apparmor/usr.sbin.libvirtd.in | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in index f4fc51d705..c950a83db8 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -99,6 +99,8 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { audit deny /sys/kernel/security/apparmor/.* rwxl, /sys/kernel/security/apparmor/profiles r, @libexecdir@/* puxr, + @libexecdir@/virt-aa-helper PUxr,
I'm really puzzelled about this one. If this was required, then surely apparmor has been broken since day 1 this was introduced to libvirt ?
Can anyone explain why we've been able todo with this rule forever ?
+ @libexecdir@/libvirt_lxc PUxr,
I can understand a little more why this might be missing, as it is not so common as QEMU usage.
Frankly, I don't understand that too. I just copied what was in the gentoo patch. But I can drop this one. The @libexecdir@/* rule should allow what is needed anyway.
Actually, if anything, it probably makes more sense to drop the generic @libexecdir@ rule, as it allows libvirtd to run anything under /usr/libexec which makes the policy pretty useless IMHO. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|