10:41 p.m.
Upstream Xen has traditionally installed various hotplug and
utility scripts in /etc/xen/scripts/. openSUSE is slowly moving
all distribution provided configuration files and scripts from
/etc to /usr. In the case of the Xen scripts provided under
/etc/xen/scripts/, they will be moving to /usr/lib/xen/scripts/.
Adjust the libvirtd Apparmor profile to allow executing scripts
from this location.
Signed-off-by: Jim Fehlig <jfehlig(a)suse.com>
---
If this is deemed too distro-specific I'm happy to maintain a
downstream patch.
src/security/apparmor/usr.sbin.libvirtd | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/security/apparmor/usr.sbin.libvirtd
b/src/security/apparmor/usr.sbin.libvirtd
index 29f9936ad9..b0d23c80f3 100644
--- a/src/security/apparmor/usr.sbin.libvirtd
+++ b/src/security/apparmor/usr.sbin.libvirtd
@@ -104,6 +104,7 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
/usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
/etc/libvirt/hooks/** rmix,
/etc/xen/scripts/** rmix,
+ /usr/{lib,lib64}/xen/scripts/** rmix,
# allow changing to our UUID-based named profiles
change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
--
2.23.0
9:31 a.m.
On Thu, 2019-10-17 at 03:41 +0000, Jim Fehlig wrote:
Upstream Xen has traditionally installed various hotplug and
utility scripts in /etc/xen/scripts/. openSUSE is slowly moving
all distribution provided configuration files and scripts from
/etc to /usr. In the case of the Xen scripts provided under
/etc/xen/scripts/, they will be moving to /usr/lib/xen/scripts/.
Adjust the libvirtd Apparmor profile to allow executing scripts
from this location.
Signed-off-by: Jim Fehlig <jfehlig(a)suse.com>
---
If this is deemed too distro-specific I'm happy to maintain a
downstream patch.
src/security/apparmor/usr.sbin.libvirtd | 1 +
1 file changed, 1 insertion(+)
I'm no AppArmor expert but this looks sane enough to me, so
Reviewed-by: Andrea Bolognani <abologna(a)redhat.com>
--
Andrea Bolognani / Red Hat / Virtualization
9:51 a.m.
On 10/18/19 8:31 AM, Andrea Bolognani wrote:
On Thu, 2019-10-17 at 03:41 +0000, Jim Fehlig wrote:
> Upstream Xen has traditionally installed various hotplug and
> utility scripts in /etc/xen/scripts/. openSUSE is slowly moving
> all distribution provided configuration files and scripts from
> /etc to /usr. In the case of the Xen scripts provided under
> /etc/xen/scripts/, they will be moving to /usr/lib/xen/scripts/.
> Adjust the libvirtd Apparmor profile to allow executing scripts
> from this location.
>
> Signed-off-by: Jim Fehlig <jfehlig(a)suse.com>
> ---
>
> If this is deemed too distro-specific I'm happy to maintain a
> downstream patch.
>
> src/security/apparmor/usr.sbin.libvirtd | 1 +
> 1 file changed, 1 insertion(+)
I'm no AppArmor expert but this looks sane enough to me, so
Reviewed-by: Andrea Bolognani <abologna(a)redhat.com>
Thanks, but I think I should hold off pushing this until other distros make a
similar change to the Xen scripts location. We are still debating on when to
make the change in openSUSE :-). Sorry, I pulled the trigger a bit to early on
this one.
Regards,
Jim
10:05 a.m.
On Fri, 2019-10-18 at 14:51 +0000, Jim Fehlig wrote:
On 10/18/19 8:31 AM, Andrea Bolognani wrote:
> On Thu, 2019-10-17 at 03:41 +0000, Jim Fehlig wrote:
> > If this is deemed too distro-specific I'm happy to maintain a
> > downstream patch.
> >
> > src/security/apparmor/usr.sbin.libvirtd | 1 +
> > 1 file changed, 1 insertion(+)
>
> I'm no AppArmor expert but this looks sane enough to me, so
>
> Reviewed-by: Andrea Bolognani <abologna(a)redhat.com>
Thanks, but I think I should hold off pushing this until other distros make a
similar change to the Xen scripts location. We are still debating on when to
make the change in openSUSE :-). Sorry, I pulled the trigger a bit to early on
this one.
I don't think you necessarily need to wait for other distros to
adopt the same change: in my mind, it's perfectly fine to have
multiple distro-specific paths in the profile.
If, however, there are literally zero distros using this specific
path then yes, that makes it too soon :)
--
Andrea Bolognani / Red Hat / Virtualization
1862
days inactive
1863
days old
3 comments
2 participants
participants (2)
-
Andrea Bolognani -
Jim Fehlig