<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jan 30, 2020 at 8:05 AM Michal Privoznik <<a href="mailto:mprivozn@redhat.com">mprivozn@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">There are two more paths that we are missing in the default<br>
domain profile: /usr/share/edk2-ovmf/ and /usr/share/sgabios/.<br>
These exist on my Gentoo box and contain UEFI and BIOS images<br>
respectively.<br>
<br>
Signed-off-by: Michal Privoznik <<a href="mailto:mprivozn@redhat.com" target="_blank">mprivozn@redhat.com</a>><br>
---<br>
 src/security/apparmor/libvirt-qemu | 2 ++<br>
 1 file changed, 2 insertions(+)<br>
<br></blockquote><div><br></div><div>Hi Michal,</div><div>You might already have abandoned this as I've seen other parts of the series land (thanks for the dynamic paths now).But revisiting this I found that they seem not needed.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu<br>
index 2291829270..6942b83969 100644<br>
--- a/src/security/apparmor/libvirt-qemu<br>
+++ b/src/security/apparmor/libvirt-qemu<br>
@@ -75,6 +75,7 @@<br>
   # access to firmware's etc<br>
   /usr/share/AAVMF/** r,<br>
   /usr/share/bochs/** r,<br>
+  /usr/share/edk2-ovmf/** r,<br></blockquote><div><br></div><div>At least on Debian/Ubuntu the multiple edk2 related cases are already covered by</div><div><br></div>85342a3771b (Guido Günther    2014-04-07 12:15:02 +0200)<br>  /usr/share/ovmf/** r,<br>f9803f59148 (Guido Günther    2017-07-06 11:04:21 +0200)<br>  /usr/share/OVMF/** r,<br>f9803f59148 (Guido Günther    2017-07-06 11:04:21 +0200)<br>   /usr/share/AAVMF/** r,<br>f9803f59148 (Guido Günther    2017-07-06 11:04:21 +0200)<br>   /usr/share/qemu-efi/** r,<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
   /usr/share/kvm/** r,<br>
   /usr/share/misc/sgabios.bin r,<br>
   /usr/share/openbios/** r,<br>
@@ -86,6 +87,7 @@<br>
   /usr/share/qemu-kvm/** r,<br>
   /usr/share/qemu/** r,<br>
   /usr/share/seabios/** r,<br>
+  /usr/share/sgabios/** r,<br></blockquote><div><br></div><div>Again for Debian/Ubuntu this is already covered by:</div><div>987d1fdc535 (Guido Günther    2018-01-15 09:44:37 +0100)<br>  /usr/share/misc/sgabios.bin r,<br></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0)">
</span><br></span></div><div>I guess Suse would have mentioned if the paths would not have worked for them.<span style="font-family:monospace"><br></span></div><div>Did you have another Distro which uses the paths that try to add here?</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
   /usr/share/slof/** r,<br>
   /usr/share/vgabios/** r,<br></blockquote><div> </div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
-- <br>
2.24.1<br>
<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">Christian Ehrhardt<br>Staff Engineer, Ubuntu Server<br>Canonical Ltd</div></div>