[libvirt] [PATCH 1/2] Teach AppArmor, that /usr/lib64 may exist.

Cédric Bosdonnat cbosdonnat at suse.com
Tue Dec 30 10:33:58 UTC 2014 

The apparmor profiles forgot about /usr/lib64 folders, just add lib64
as a possible alternative to lib in the paths
---
 examples/apparmor/libvirt-qemu                   | 2 +-
 examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++--
 examples/apparmor/usr.sbin.libvirtd              | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index c6de6dd..7aad391 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -111,7 +111,7 @@
   /usr/bin/qemu-sparc32plus rmix,
   /usr/bin/qemu-sparc64 rmix,
   /usr/bin/qemu-x86_64 rmix,
-  /usr/lib/qemu/block-curl.so mr,
+  /usr/{lib,lib64}/qemu/block-curl.so mr,
 
   # for save and resume
   /bin/dash rmix,
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
index bceaaff..b34fb35 100644
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -1,7 +1,7 @@
 # Last Modified: Mon Apr  5 15:10:27 2010
 #include <tunables/global>
 
-/usr/lib/libvirt/virt-aa-helper {
+profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
   #include <abstractions/base>
 
   # needed for searching directories
@@ -20,7 +20,7 @@
   /sys/devices/ r,
   /sys/devices/** r,
 
-  /usr/lib/libvirt/virt-aa-helper mr,
+  /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
   /sbin/apparmor_parser Ux,
 
   /etc/apparmor.d/libvirt/* r,
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index 3011eff..7151052 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -44,7 +44,7 @@
   /usr/bin/* PUx,
   /usr/sbin/* PUx,
   /lib/udev/scsi_id PUx,
-  /usr/lib/xen-common/bin/xen-toolstack PUx,
+  /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
 
   # force the use of virt-aa-helper
   audit deny /sbin/apparmor_parser rwxl,
@@ -53,7 +53,7 @@
   audit deny /sys/kernel/security/apparmor/matching rwxl,
   audit deny /sys/kernel/security/apparmor/.* rwxl,
   /sys/kernel/security/apparmor/profiles r,
-  /usr/lib/libvirt/* PUxr,
+  /usr/{lib,lib64}/libvirt/* PUxr,
   /etc/libvirt/hooks/** rmix,
   /etc/xen/scripts/** rmix,
 
-- 
2.1.2

More information about the libvir-list mailing list