Re: [libvirt] [PATCH 1/2] Apparmor qemu abstraction fixes for SLES
Hi Jamie,
On Thu, 2015-04-09 at 20:29 -0500, Jamie Strandboge wrote:
On 04/09/2015 04:25 AM, Cédric Bosdonnat wrote:
> SLES 11 has legacy qemu-kvm package, /usr/bin/qemu-kvm and
> /usr/share/qemu-kvm need to be accessed by domains.
> ---
> examples/apparmor/libvirt-qemu | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
It is ok as is, but see my comments below.
Acked-By: Jamie Strandboge <jamie(a)canonical.com>
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index 7aad391..a3043dd 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
...
> @@ -118,12 +120,19 @@
> /bin/dd rmix,
> /bin/cat rmix,
>
> + # for restore
> + /bin/bash rmix,
> +
This one is curious. You have it with rmix, so it's ok though.
I didn't investigate too deeply to know why we need it. Maybe that would
be a good thing for me to do ;)
Acked-By: Jamie Strandboge <jamie(a)canonical.com>
> # for usb access
> /dev/bus/usb/ r,
> /etc/udev/udev.conf r,
> /sys/bus/ r,
> /sys/class/ r,
>
> + # nscd pieces
> + /run/nscd/group r,
> + /run/nscd/passwd r,
> +
These should already be in the nameservice abstraction via this rule:
/{var/db,var/cache,var/run,run}/nscd/{passwd,group,services,host} r,
which is already included by libvirt-qemu:
#include <abstractions/nameservice>
It's ok to have duplicates-- apparmor handles them, but perhaps these aren't
actually needed?
Ouch, indeed... this rule seems more recent than what we have in SLES,
I'll remove those lines from the profile.
Thanks for the heads up.
--
Cedric