[libvirt] [PATCH] Apparmor: Support Xen scripts in libexec
Upstream Xen has traditionally installed various hotplug and utility scripts in /etc/xen/scripts/. openSUSE is slowly moving all distribution provided configuration files and scripts from /etc to /usr. In the case of the Xen scripts provided under /etc/xen/scripts/, they will be moving to /usr/lib/xen/scripts/. Adjust the libvirtd Apparmor profile to allow executing scripts from this location. Signed-off-by: Jim Fehlig <jfehlig@suse.com> --- If this is deemed too distro-specific I'm happy to maintain a downstream patch. src/security/apparmor/usr.sbin.libvirtd | 1 + 1 file changed, 1 insertion(+) diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd index 29f9936ad9..b0d23c80f3 100644 --- a/src/security/apparmor/usr.sbin.libvirtd +++ b/src/security/apparmor/usr.sbin.libvirtd @@ -104,6 +104,7 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { /usr/{lib,lib64}/libvirt/libvirt_iohelper ix, /etc/libvirt/hooks/** rmix, /etc/xen/scripts/** rmix, + /usr/{lib,lib64}/xen/scripts/** rmix, # allow changing to our UUID-based named profiles change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, -- 2.23.0
On Thu, 2019-10-17 at 03:41 +0000, Jim Fehlig wrote:
Upstream Xen has traditionally installed various hotplug and utility scripts in /etc/xen/scripts/. openSUSE is slowly moving all distribution provided configuration files and scripts from /etc to /usr. In the case of the Xen scripts provided under /etc/xen/scripts/, they will be moving to /usr/lib/xen/scripts/. Adjust the libvirtd Apparmor profile to allow executing scripts from this location.
Signed-off-by: Jim Fehlig <jfehlig@suse.com> ---
If this is deemed too distro-specific I'm happy to maintain a downstream patch.
src/security/apparmor/usr.sbin.libvirtd | 1 + 1 file changed, 1 insertion(+)
I'm no AppArmor expert but this looks sane enough to me, so Reviewed-by: Andrea Bolognani <abologna@redhat.com> -- Andrea Bolognani / Red Hat / Virtualization
On 10/18/19 8:31 AM, Andrea Bolognani wrote:
On Thu, 2019-10-17 at 03:41 +0000, Jim Fehlig wrote:
Upstream Xen has traditionally installed various hotplug and utility scripts in /etc/xen/scripts/. openSUSE is slowly moving all distribution provided configuration files and scripts from /etc to /usr. In the case of the Xen scripts provided under /etc/xen/scripts/, they will be moving to /usr/lib/xen/scripts/. Adjust the libvirtd Apparmor profile to allow executing scripts from this location.
Signed-off-by: Jim Fehlig <jfehlig@suse.com> ---
If this is deemed too distro-specific I'm happy to maintain a downstream patch.
src/security/apparmor/usr.sbin.libvirtd | 1 + 1 file changed, 1 insertion(+)
I'm no AppArmor expert but this looks sane enough to me, so
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Thanks, but I think I should hold off pushing this until other distros make a similar change to the Xen scripts location. We are still debating on when to make the change in openSUSE :-). Sorry, I pulled the trigger a bit to early on this one. Regards, Jim
On Fri, 2019-10-18 at 14:51 +0000, Jim Fehlig wrote:
On 10/18/19 8:31 AM, Andrea Bolognani wrote:
On Thu, 2019-10-17 at 03:41 +0000, Jim Fehlig wrote:
If this is deemed too distro-specific I'm happy to maintain a downstream patch.
src/security/apparmor/usr.sbin.libvirtd | 1 + 1 file changed, 1 insertion(+)
I'm no AppArmor expert but this looks sane enough to me, so
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Thanks, but I think I should hold off pushing this until other distros make a similar change to the Xen scripts location. We are still debating on when to make the change in openSUSE :-). Sorry, I pulled the trigger a bit to early on this one.
I don't think you necessarily need to wait for other distros to adopt the same change: in my mind, it's perfectly fine to have multiple distro-specific paths in the profile. If, however, there are literally zero distros using this specific path then yes, that makes it too soon :) -- Andrea Bolognani / Red Hat / Virtualization
participants (2)
-
Andrea Bolognani -
Jim Fehlig