[libvirt] [PATCH] apparmor: Allow to run pygrup
Debian has pygrub in /usr/lib/xen-*/bin/pygrub Allow it to be run. --- I'm open to making this more broad since it seems /usr/{lib,lib64}/xen/bin/* Ux, serves a similar purpose. Cheers, -- Guido src/security/apparmor/usr.sbin.libvirtd | 1 + 1 file changed, 1 insertion(+) diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd index 29f9936ad9..f9a523c213 100644 --- a/src/security/apparmor/usr.sbin.libvirtd +++ b/src/security/apparmor/usr.sbin.libvirtd @@ -87,6 +87,7 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, /usr/{lib,lib64}/xen/bin/* Ux, /usr/lib/xen-*/bin/libxl-save-helper PUx, + /usr/lib/xen-*/bin/pygrub PUx, # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to # read and run an ebtables script. -- 2.20.1
On Wed, 2019-08-21 at 10:38 +0200, Guido Günther wrote:
Debian has pygrub in
/usr/lib/xen-*/bin/pygrub
Allow it to be run.
For those following along at home: see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931768 for more information.
+++ b/src/security/apparmor/usr.sbin.libvirtd @@ -87,6 +87,7 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, /usr/{lib,lib64}/xen/bin/* Ux, /usr/lib/xen-*/bin/libxl-save-helper PUx, + /usr/lib/xen-*/bin/pygrub PUx,
This looks sane enough to me, so Reviewed-by: Andrea Bolognani <abologna@redhat.com> but maybe wait a few days before pushing, to give people more familiar with AppArmor a chance to weigh in. -- Andrea Bolognani / Red Hat / Virtualization
participants (2)
-
Andrea Bolognani -
Guido Günther