4:33 a.m.
Hi there,
Here are 2 patches fixing tiny annoying problems. One of them, makes
apparmor profiles handle /usr/lib64 folder and the other one fixes an
uncleaned piece of domain config.
Cédric Bosdonnat (2):
Teach AppArmor, that /usr/lib64 may exist.
Fix error when starting a container after an error
examples/apparmor/libvirt-qemu | 2 +-
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++--
examples/apparmor/usr.sbin.libvirtd | 4 ++--
src/lxc/lxc_process.c | 1 +
4 files changed, 6 insertions(+), 5 deletions(-)
--
2.1.2
4:33 a.m.
New subject: [libvirt] [PATCH 1/2] Teach AppArmor, that /usr/lib64 may exist.
The apparmor profiles forgot about /usr/lib64 folders, just add lib64
as a possible alternative to lib in the paths
---
examples/apparmor/libvirt-qemu | 2 +-
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++--
examples/apparmor/usr.sbin.libvirtd | 4 ++--
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index c6de6dd..7aad391 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -111,7 +111,7 @@
/usr/bin/qemu-sparc32plus rmix,
/usr/bin/qemu-sparc64 rmix,
/usr/bin/qemu-x86_64 rmix,
- /usr/lib/qemu/block-curl.so mr,
+ /usr/{lib,lib64}/qemu/block-curl.so mr,
# for save and resume
/bin/dash rmix,
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
index bceaaff..b34fb35 100644
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -1,7 +1,7 @@
# Last Modified: Mon Apr 5 15:10:27 2010
#include <tunables/global>
-/usr/lib/libvirt/virt-aa-helper {
+profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
#include <abstractions/base>
# needed for searching directories
@@ -20,7 +20,7 @@
/sys/devices/ r,
/sys/devices/** r,
- /usr/lib/libvirt/virt-aa-helper mr,
+ /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
/sbin/apparmor_parser Ux,
/etc/apparmor.d/libvirt/* r,
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index 3011eff..7151052 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -44,7 +44,7 @@
/usr/bin/* PUx,
/usr/sbin/* PUx,
/lib/udev/scsi_id PUx,
- /usr/lib/xen-common/bin/xen-toolstack PUx,
+ /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
# force the use of virt-aa-helper
audit deny /sbin/apparmor_parser rwxl,
@@ -53,7 +53,7 @@
audit deny /sys/kernel/security/apparmor/matching rwxl,
audit deny /sys/kernel/security/apparmor/.* rwxl,
/sys/kernel/security/apparmor/profiles r,
- /usr/lib/libvirt/* PUxr,
+ /usr/{lib,lib64}/libvirt/* PUxr,
/etc/libvirt/hooks/** rmix,
/etc/xen/scripts/** rmix,
--
2.1.2
10 a.m.
New subject: [libvirt] [PATCH 1/2] Teach AppArmor, that /usr/lib64 may exist.
On 12/30/2014 04:33 AM, Cédric Bosdonnat wrote:
The apparmor profiles forgot about /usr/lib64 folders, just add
lib64
as a possible alternative to lib in the paths
These changes all look good to me. +1
---
examples/apparmor/libvirt-qemu | 2 +-
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++--
examples/apparmor/usr.sbin.libvirtd | 4 ++--
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index c6de6dd..7aad391 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -111,7 +111,7 @@
/usr/bin/qemu-sparc32plus rmix,
/usr/bin/qemu-sparc64 rmix,
/usr/bin/qemu-x86_64 rmix,
- /usr/lib/qemu/block-curl.so mr,
+ /usr/{lib,lib64}/qemu/block-curl.so mr,
# for save and resume
/bin/dash rmix,
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
index bceaaff..b34fb35 100644
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -1,7 +1,7 @@
# Last Modified: Mon Apr 5 15:10:27 2010
#include <tunables/global>
-/usr/lib/libvirt/virt-aa-helper {
+profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
#include <abstractions/base>
# needed for searching directories
@@ -20,7 +20,7 @@
/sys/devices/ r,
/sys/devices/** r,
- /usr/lib/libvirt/virt-aa-helper mr,
+ /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
/sbin/apparmor_parser Ux,
/etc/apparmor.d/libvirt/* r,
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index 3011eff..7151052 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -44,7 +44,7 @@
/usr/bin/* PUx,
/usr/sbin/* PUx,
/lib/udev/scsi_id PUx,
- /usr/lib/xen-common/bin/xen-toolstack PUx,
+ /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
# force the use of virt-aa-helper
audit deny /sbin/apparmor_parser rwxl,
@@ -53,7 +53,7 @@
audit deny /sys/kernel/security/apparmor/matching rwxl,
audit deny /sys/kernel/security/apparmor/.* rwxl,
/sys/kernel/security/apparmor/profiles r,
- /usr/lib/libvirt/* PUxr,
+ /usr/{lib,lib64}/libvirt/* PUxr,
/etc/libvirt/hooks/** rmix,
/etc/xen/scripts/** rmix,
--
Jamie Strandboge http://www.ubuntu.com/
3:47 a.m.
New subject: [libvirt] [PATCH 1/2] Teach AppArmor, that /usr/lib64 may exist.
On Sun, 2015-01-04 at 10:00 -0600, Jamie Strandboge wrote:
On 12/30/2014 04:33 AM, Cédric Bosdonnat wrote:
> The apparmor profiles forgot about /usr/lib64 folders, just add lib64
> as a possible alternative to lib in the paths
These changes all look good to me. +1
Pushed, then.
Thanks for the review.
> ---
> examples/apparmor/libvirt-qemu | 2 +-
> examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++--
> examples/apparmor/usr.sbin.libvirtd | 4 ++--
> 3 files changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index c6de6dd..7aad391 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -111,7 +111,7 @@
> /usr/bin/qemu-sparc32plus rmix,
> /usr/bin/qemu-sparc64 rmix,
> /usr/bin/qemu-x86_64 rmix,
> - /usr/lib/qemu/block-curl.so mr,
> + /usr/{lib,lib64}/qemu/block-curl.so mr,
>
> # for save and resume
> /bin/dash rmix,
> diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> index bceaaff..b34fb35 100644
> --- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> +++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> @@ -1,7 +1,7 @@
> # Last Modified: Mon Apr 5 15:10:27 2010
> #include <tunables/global>
>
> -/usr/lib/libvirt/virt-aa-helper {
> +profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
> #include <abstractions/base>
>
> # needed for searching directories
> @@ -20,7 +20,7 @@
> /sys/devices/ r,
> /sys/devices/** r,
>
> - /usr/lib/libvirt/virt-aa-helper mr,
> + /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
> /sbin/apparmor_parser Ux,
>
> /etc/apparmor.d/libvirt/* r,
> diff --git a/examples/apparmor/usr.sbin.libvirtd
b/examples/apparmor/usr.sbin.libvirtd
> index 3011eff..7151052 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -44,7 +44,7 @@
> /usr/bin/* PUx,
> /usr/sbin/* PUx,
> /lib/udev/scsi_id PUx,
> - /usr/lib/xen-common/bin/xen-toolstack PUx,
> + /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
>
> # force the use of virt-aa-helper
> audit deny /sbin/apparmor_parser rwxl,
> @@ -53,7 +53,7 @@
> audit deny /sys/kernel/security/apparmor/matching rwxl,
> audit deny /sys/kernel/security/apparmor/.* rwxl,
> /sys/kernel/security/apparmor/profiles r,
> - /usr/lib/libvirt/* PUxr,
> + /usr/{lib,lib64}/libvirt/* PUxr,
> /etc/libvirt/hooks/** rmix,
> /etc/xen/scripts/** rmix,
>
>
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
9:23 a.m.
New subject: [libvirt] [PATCH 1/2] Teach AppArmor, that /usr/lib64 may exist.
On 12/30/2014 03:33 AM, Cédric Bosdonnat wrote:
s/,// in the subject
Also, we tend to avoid trailing '.' in commit summary lines, although
that is not strictly enforced
The apparmor profiles forgot about /usr/lib64 folders, just add
lib64
as a possible alternative to lib in the paths
---
examples/apparmor/libvirt-qemu | 2 +-
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++--
examples/apparmor/usr.sbin.libvirtd | 4 ++--
3 files changed, 5 insertions(+), 5 deletions(-)
ACK
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
4:33 a.m.
New subject: [libvirt] [PATCH 2/2] Fix error when starting a container after an error
The typical case for the problem is starting a domain needing a network
that isn't started. Even after starting the network, we get an unknown error
when starting the container.
This is due to dynamic security label not being removed.
---
src/lxc/lxc_process.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c
index 1c0d4e5..d7eb8bc 100644
--- a/src/lxc/lxc_process.c
+++ b/src/lxc/lxc_process.c
@@ -1372,6 +1372,7 @@ int virLXCProcessStart(virConnectPtr conn,
VIR_FREE(vm->def->seclabels[0]->model);
VIR_FREE(vm->def->seclabels[0]->label);
VIR_FREE(vm->def->seclabels[0]->imagelabel);
+ VIR_DELETE_ELEMENT(vm->def->seclabels, 0, vm->def->nseclabels);
}
}
for (i = 0; i < nttyFDs; i++)
--
2.1.2
3:37 a.m.
On 12/30/2014 11:33 AM, Cédric Bosdonnat wrote:
Hi there,
Here are 2 patches fixing tiny annoying problems. One of them, makes
apparmor profiles handle /usr/lib64 folder and the other one fixes an
uncleaned piece of domain config.
Cédric Bosdonnat (2):
Teach AppArmor, that /usr/lib64 may exist.
Fix error when starting a container after an error
examples/apparmor/libvirt-qemu | 2 +-
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++--
examples/apparmor/usr.sbin.libvirtd | 4 ++--
src/lxc/lxc_process.c | 1 +
4 files changed, 6 insertions(+), 5 deletions(-)
ACK series
Jan
1:28 p.m.
Hi Jan,
Thanks for your review. Pushed.
--
Cedric
On Mon, 2015-01-05 at 10:37 +0100, Ján Tomko wrote:
On 12/30/2014 11:33 AM, Cédric Bosdonnat wrote:
> Hi there,
>
> Here are 2 patches fixing tiny annoying problems. One of them, makes
> apparmor profiles handle /usr/lib64 folder and the other one fixes an
> uncleaned piece of domain config.
>
> Cédric Bosdonnat (2):
> Teach AppArmor, that /usr/lib64 may exist.
> Fix error when starting a container after an error
>
> examples/apparmor/libvirt-qemu | 2 +-
> examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++--
> examples/apparmor/usr.sbin.libvirtd | 4 ++--
> src/lxc/lxc_process.c | 1 +
> 4 files changed, 6 insertions(+), 5 deletions(-)
>
ACK series
Jan
3862
days inactive
3868
days old
7 comments
5 participants
participants (5)
-
Cedric Bosdonnat -
Cédric Bosdonnat
-
Eric Blake -
Jamie Strandboge -
Ján Tomko