<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jan 30, 2020 at 8:05 AM Michal Privoznik <<a href="mailto:mprivozn@redhat.com">mprivozn@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">These helper binaries are installed under libexec dir not lib<br>
dir.<br>
<br>
Signed-off-by: Michal Privoznik <<a href="mailto:mprivozn@redhat.com" target="_blank">mprivozn@redhat.com</a>><br>
---<br>
 src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 2 +-<br>
 src/security/apparmor/usr.sbin.libvirtd              | 4 ++--<br>
 2 files changed, 3 insertions(+), 3 deletions(-)<br>
<br>
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper<br>
index 11e9c039ca..ca1f6ca083 100644<br>
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper<br>
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper<br>
@@ -39,7 +39,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {<br>
   deny /dev/mapper/ r,<br>
   deny /dev/mapper/* r,<br>
<br>
-  /usr/{lib,lib64}/libvirt/virt-aa-helper mr,<br>
+  /usr/{lib,lib64,libexec}/libvirt/virt-aa-helper mr,<br>
   /{usr/,}sbin/apparmor_parser Ux,<br>
<br>
   /etc/apparmor.d/libvirt/* r,<br>
diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd<br>
index 29f9936ad9..2089ba1b3e 100644<br>
--- a/src/security/apparmor/usr.sbin.libvirtd<br>
+++ b/src/security/apparmor/usr.sbin.libvirtd<br>
@@ -100,8 +100,8 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {<br>
   audit deny /sys/kernel/security/apparmor/.* rwxl,<br>
   /sys/kernel/security/apparmor/profiles r,<br>
   /usr/{lib,lib64}/libvirt/* PUxr,<br>
-  /usr/{lib,lib64}/libvirt/libvirt_parthelper ix,<br>
-  /usr/{lib,lib64}/libvirt/libvirt_iohelper ix,<br>
+  /usr/libexec/libvirt_parthelper ix,<br>
+  /usr/libexec/libvirt_iohelper ix,<br></blockquote><div><br></div><div>This needs the same {lib,lib64,libexec} treatment.</div><div>E.g. on Debian/Ubuntu this is in:</div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0)">/usr/lib/libvirt/libvirt_parthelper</span><br></span></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0)"><br></span></span></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0)">Suse most likely again has lib64 here.</span></span></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0)"><br></span></span></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0)">As I suggested in one of the patches I think we either want full dir listings for all common cases here or make it dependent to the </span></span><span style="font-family:monospace;color:rgb(0,0,0)">--</span><span style="font-family:monospace;color:rgb(0,0,0);background-color:rgb(255,255,84)">lib</span><span style="font-family:monospace;color:rgb(0,0,0)">execdir configure option.</span></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
   /etc/libvirt/hooks/** rmix,<br>
   /etc/xen/scripts/** rmix,<br>
<br>
-- <br>
2.24.1<br>
<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">Christian Ehrhardt<br>Staff Engineer, Ubuntu Server<br>Canonical Ltd</div></div>