[libvirt] [PATCH 2/3] Grant access to helpers
Mike Latimer
mlatimer at suse.com
Thu Jan 22 05:32:48 UTC 2015
On Tuesday, January 20, 2015 09:08:04 AM Cedric Bosdonnat wrote:
> On Mon, 2015-01-19 at 18:25 -0700, Mike Latimer wrote:
> > Apparmor must not prevent access to required helper programs. The
> > following
> >
> > helpers should be allowed to run in unconfined execution mode:
> > - libvirt_parthelper
> > - libvirt_iohelper
> >
> > ---
> >
> > examples/apparmor/usr.sbin.libvirtd | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/examples/apparmor/usr.sbin.libvirtd
> > b/examples/apparmor/usr.sbin.libvirtd index 9917836..ab6572a 100644
> > --- a/examples/apparmor/usr.sbin.libvirtd
> > +++ b/examples/apparmor/usr.sbin.libvirtd
> > @@ -57,6 +57,8 @@
> >
> > audit deny /sys/kernel/security/apparmor/.* rwxl,
> > /sys/kernel/security/apparmor/profiles r,
> > /usr/{lib,lib64}/libvirt/* PUxr,
> >
> > + /usr/{lib,lib64}/libvirt/libvirt_parthelper Ux,
> > + /usr/{lib,lib64}/libvirt/libvirt_iohelper Ux,
> >
> > /etc/libvirt/hooks/** rmix,
> > /etc/xen/scripts/** rmix,
>
> Can't we find a way to have them run with inherited profile (ix)?
> Letting them run completely unprofiled may not be the best solution.
Seems like the apparmor profile for libvirtd is pretty wide open, so I'm not
sure if there will be much of a difference between those two settings. I'm also
not sure how best to test the functionality of those helpers to find out...
I don't mind if the patch is committed with ix. We can always change it later
if we find a definitive reason to use Ux. ;)
Thanks,
Mike
More information about the libvir-list
mailing list