[libvirt] [PATCH 1/2] Teach AppArmor, that /usr/lib64 may exist.

Jamie Strandboge jamie at canonical.com
Sun Jan 4 16:00:59 UTC 2015 

On 12/30/2014 04:33 AM, Cédric Bosdonnat wrote:
> The apparmor profiles forgot about /usr/lib64 folders, just add lib64
> as a possible alternative to lib in the paths

These changes all look good to me. +1

> ---
>  examples/apparmor/libvirt-qemu                   | 2 +-
>  examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++--
>  examples/apparmor/usr.sbin.libvirtd              | 4 ++--
>  3 files changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index c6de6dd..7aad391 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -111,7 +111,7 @@
>    /usr/bin/qemu-sparc32plus rmix,
>    /usr/bin/qemu-sparc64 rmix,
>    /usr/bin/qemu-x86_64 rmix,
> -  /usr/lib/qemu/block-curl.so mr,
> +  /usr/{lib,lib64}/qemu/block-curl.so mr,
>  
>    # for save and resume
>    /bin/dash rmix,
> diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> index bceaaff..b34fb35 100644
> --- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> +++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> @@ -1,7 +1,7 @@
>  # Last Modified: Mon Apr  5 15:10:27 2010
>  #include <tunables/global>
>  
> -/usr/lib/libvirt/virt-aa-helper {
> +profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
>    #include <abstractions/base>
>  
>    # needed for searching directories
> @@ -20,7 +20,7 @@
>    /sys/devices/ r,
>    /sys/devices/** r,
>  
> -  /usr/lib/libvirt/virt-aa-helper mr,
> +  /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
>    /sbin/apparmor_parser Ux,
>  
>    /etc/apparmor.d/libvirt/* r,
> diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
> index 3011eff..7151052 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -44,7 +44,7 @@
>    /usr/bin/* PUx,
>    /usr/sbin/* PUx,
>    /lib/udev/scsi_id PUx,
> -  /usr/lib/xen-common/bin/xen-toolstack PUx,
> +  /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
>  
>    # force the use of virt-aa-helper
>    audit deny /sbin/apparmor_parser rwxl,
> @@ -53,7 +53,7 @@
>    audit deny /sys/kernel/security/apparmor/matching rwxl,
>    audit deny /sys/kernel/security/apparmor/.* rwxl,
>    /sys/kernel/security/apparmor/profiles r,
> -  /usr/lib/libvirt/* PUxr,
> +  /usr/{lib,lib64}/libvirt/* PUxr,
>    /etc/libvirt/hooks/** rmix,
>    /etc/xen/scripts/** rmix,
>  
> 


-- 
Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20150104/2e2df707/attachment-0001.sig>

More information about the libvir-list mailing list