[PATCH] apparmor: ceph config file names
From: Christian Ehrhardt <christian.ehrhardt@canonical.com> If running multiple [1] clusters (uncommon) the ceph config file will be derived from the cluster name. Therefore the rule to allow to read ceph config files need to be opened up slightly to allow for that condition. [1]: https://docs.ceph.com/en/mimic/rados/configuration/common/#running-multiple-... Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1588576 Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- src/security/apparmor/libvirt-qemu | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu index 4156428163..8cd76d48ec 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -199,7 +199,7 @@ /sys/class/ r, # for rbd - /etc/ceph/ceph.conf r, + /etc/ceph/*.conf r, # Various functions will need to enumerate /tmp (e.g. ceph), allow the base # dir and a few known functions like samba support. -- 2.33.0
On Thu, 07 Oct 2021, christian.ehrhardt@canonical.com wrote:
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
If running multiple [1] clusters (uncommon) the ceph config file will be derived from the cluster name. Therefore the rule to allow to read ceph config files need to be opened up slightly to allow for that condition.
[1]: https://docs.ceph.com/en/mimic/rados/configuration/common/#running-multiple-...
Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1588576
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- src/security/apparmor/libvirt-qemu | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu index 4156428163..8cd76d48ec 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -199,7 +199,7 @@ /sys/class/ r,
# for rbd - /etc/ceph/ceph.conf r, + /etc/ceph/*.conf r,
# Various functions will need to enumerate /tmp (e.g. ceph), allow the base # dir and a few known functions like samba support.
LGTM, thanks! -- Email: jamie@strandboge.com IRC: jdstrand
On Sat, Oct 9, 2021 at 2:33 PM Jamie Strandboge <jamie@strandboge.com> wrote:
On Thu, 07 Oct 2021, christian.ehrhardt@canonical.com wrote:
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
If running multiple [1] clusters (uncommon) the ceph config file will be derived from the cluster name. Therefore the rule to allow to read ceph config files need to be opened up slightly to allow for that condition.
[1]: https://docs.ceph.com/en/mimic/rados/configuration/common/#running-multiple-...
Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1588576
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- src/security/apparmor/libvirt-qemu | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu index 4156428163..8cd76d48ec 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -199,7 +199,7 @@ /sys/class/ r,
# for rbd - /etc/ceph/ceph.conf r, + /etc/ceph/*.conf r,
# Various functions will need to enumerate /tmp (e.g. ceph), allow the base # dir and a few known functions like samba support.
LGTM, thanks!
-- Email: jamie@strandboge.com IRC: jdstrand
Thank you both Jamie and Michal!, Reviews are in, no freeze right now, no negative feedback appeared and the tests work fine. Thereby I'm pushing this AA change now ... -- Christian Ehrhardt Staff Engineer, Ubuntu Server Canonical Ltd
On 10/7/21 1:32 PM, christian.ehrhardt@canonical.com wrote:
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
If running multiple [1] clusters (uncommon) the ceph config file will be derived from the cluster name. Therefore the rule to allow to read ceph config files need to be opened up slightly to allow for that condition.
[1]: https://docs.ceph.com/en/mimic/rados/configuration/common/#running-multiple-...
Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1588576
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- src/security/apparmor/libvirt-qemu | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Michal
participants (4)
-
Christian Ehrhardt -
christian.ehrhardt@canonical.com
-
Jamie Strandboge -
Michal Prívozník