On Tuesday, January 20, 2015 09:08:04 AM Cedric Bosdonnat wrote:
On Mon, 2015-01-19 at 18:25 -0700, Mike Latimer wrote:
> Apparmor must not prevent access to required helper programs. The
> following
>
> helpers should be allowed to run in unconfined execution mode:
> - libvirt_parthelper
> - libvirt_iohelper
>
> ---
>
> examples/apparmor/usr.sbin.libvirtd | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/examples/apparmor/usr.sbin.libvirtd
> b/examples/apparmor/usr.sbin.libvirtd index 9917836..ab6572a 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -57,6 +57,8 @@
>
> audit deny /sys/kernel/security/apparmor/.* rwxl,
> /sys/kernel/security/apparmor/profiles r,
> /usr/{lib,lib64}/libvirt/* PUxr,
>
> + /usr/{lib,lib64}/libvirt/libvirt_parthelper Ux,
> + /usr/{lib,lib64}/libvirt/libvirt_iohelper Ux,
>
> /etc/libvirt/hooks/** rmix,
> /etc/xen/scripts/** rmix,
Can't we find a way to have them run with inherited profile (ix)?
Letting them run completely unprofiled may not be the best solution.
Seems like the apparmor profile for libvirtd is pretty wide open, so I'm not
sure if there will be much of a difference between those two settings. I'm also
not sure how best to test the functionality of those helpers to find out...
I don't mind if the patch is committed with ix. We can always change it later
if we find a definitive reason to use Ux. ;)
Thanks,
Mike