<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jan 30, 2020 at 8:05 AM Michal Privoznik <<a href="mailto:mprivozn@redhat.com">mprivozn@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Both of these binaries are spawn by libvirt. Add a rule to the<br>
default profile to allow that.<br>
<br>
Signed-off-by: Michal Privoznik <<a href="mailto:mprivozn@redhat.com" target="_blank">mprivozn@redhat.com</a>><br>
---<br>
 src/security/apparmor/usr.sbin.libvirtd | 2 ++<br>
 1 file changed, 2 insertions(+)<br>
<br>
diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd<br>
index 2089ba1b3e..27314b1512 100644<br>
--- a/src/security/apparmor/usr.sbin.libvirtd<br>
+++ b/src/security/apparmor/usr.sbin.libvirtd<br>
@@ -100,6 +100,8 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {<br>
   audit deny /sys/kernel/security/apparmor/.* rwxl,<br>
   /sys/kernel/security/apparmor/profiles r,<br>
   /usr/{lib,lib64}/libvirt/* PUxr,<br>
+  /usr/libexec/virt-aa-helper PUxr,<br>
+  /usr/libexec/libvirt_lxc PUxr,<br></blockquote><div><br></div><div>Again - I'd appreciate if we could here use generated paths based on --libexecdir configure option.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
   /usr/libexec/libvirt_parthelper ix,<br>
   /usr/libexec/libvirt_iohelper ix,<br>
   /etc/libvirt/hooks/** rmix,<br>
-- <br>
2.24.1<br>
<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">Christian Ehrhardt<br>Staff Engineer, Ubuntu Server<br>Canonical Ltd</div></div>