[libvirt] [PATCH 08/10] apparmor: provide local override templates

Guido Günther agx at sigxcpu.org
Mon May 15 16:00:18 UTC 2017 

On Mon, May 15, 2017 at 03:23:17PM +0200, Stefan Bader wrote:
> Local overrides is a feature Debian/Ubuntu libvirt provided for a while.
> This allows the user to have a non-conffile that he can use to extend the
> package delivered rules with extra content matching his special case.
> 
> This change provides override templates which the user can extend
> and modifies the makefile template to include those when installing
> the apparmor profiles.
> 
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
> ---
>  examples/Makefile.am                                   | 14 ++++++++++++++
>  examples/apparmor/local-usr.lib.libvirt.virt-aa-helper |  2 ++
>  examples/apparmor/local-usr.sbin.libvirtd              |  2 ++
>  3 files changed, 18 insertions(+)
>  create mode 100644 examples/apparmor/local-usr.lib.libvirt.virt-aa-helper
>  create mode 100644 examples/apparmor/local-usr.sbin.libvirtd
> 
> diff --git a/examples/Makefile.am b/examples/Makefile.am
> index 2956e14..16c7bf6 100644
> --- a/examples/Makefile.am
> +++ b/examples/Makefile.am
> @@ -25,6 +25,8 @@ EXTRA_DIST = \
>  	apparmor/libvirt-lxc \
>  	apparmor/usr.lib.libvirt.virt-aa-helper \
>  	apparmor/usr.sbin.libvirtd \
> +	apparmor/local-usr.sbin.libvirtd \
> +	apparmor/local-usr.lib.libvirt.virt-aa-helper \
>  	lxcconvert/virt-lxc-convert \
>  	polkit/libvirt-acl.rules \
>  	$(wildcard $(srcdir)/systemtap/*.stp) \
> @@ -74,6 +76,18 @@ apparmor_DATA = \
>  	apparmor/usr.sbin.libvirtd \
>  	$(NULL)
>  
> +localdir = $(apparmordir)/local
> +local_DATA = \
> +	apparmor/local-usr.sbin.libvirtd \
> +	apparmor/local-usr.lib.libvirt.virt-aa-helper \
> +	$(NULL)
> +
> +install-data-hook:
> +	mv $(DESTDIR)$(localdir)/local-usr.sbin.libvirtd \
> +	   $(DESTDIR)$(localdir)/usr.sbin.libvirtd
> +	mv $(DESTDIR)$(localdir)/local-usr.lib.libvirt.virt-aa-helper \
> +	   $(DESTDIR)$(localdir)/usr.lib.libvirt.virt-aa-helper
> +
>  abstractionsdir = $(apparmordir)/abstractions
>  abstractions_DATA = \
>  	apparmor/libvirt-qemu \
> diff --git a/examples/apparmor/local-usr.lib.libvirt.virt-aa-helper b/examples/apparmor/local-usr.lib.libvirt.virt-aa-helper
> new file mode 100644
> index 0000000..82c9c39
> --- /dev/null
> +++ b/examples/apparmor/local-usr.lib.libvirt.virt-aa-helper
> @@ -0,0 +1,2 @@
> +# Site-specific additions and overrides for usr.lib.libvirt.virt-aa-helper.
> +# For more details, please see /etc/apparmor.d/local/README.
> diff --git a/examples/apparmor/local-usr.sbin.libvirtd b/examples/apparmor/local-usr.sbin.libvirtd
> new file mode 100644
> index 0000000..6e19f20
> --- /dev/null
> +++ b/examples/apparmor/local-usr.sbin.libvirtd
> @@ -0,0 +1,2 @@
> +# Site-specific additions and overrides for usr.sbin.libvirtd.
> +# For more details, please see /etc/apparmor.d/local/README.

I wonder if this is too much distro speifics? (We're shipping the same in
Debian). It should in any case be squashed into the previous commit.
Cheers,
 -- Guido

More information about the libvir-list mailing list