[libvirt] [PATCH 07/10] apparmor: include local apparmor profiles
Jamie Strandboge
jamie at canonical.com
Mon May 15 14:28:40 UTC 2017
On Mon, 2017-05-15 at 15:23 +0200, Stefan Bader wrote:
> From: Felix Geyer <fgeyer at debian.org>
>
> Local overrides is a feature Debian/Ubuntu libvirt provided for a while.
> This allows the user to have a non-conffile that he can use to extend the
> package delivered rules with extra content matching his special case.
>
> This change adds the include directives to the apparmor profiles
> for virt-aa-helper and libvirtd.
>
I'm fine with this change but it is important to understand that
/etc/apparmor.d/local/usr.sbin.libvirtd must exist otherwise the profile will
fail to load. In Debian/Ubuntu we use dh_apparmor which takes care of this for
us. If this is upstreamed, then wherever install of the profile happens or is
documented, then the local changes file needs to also be installed/documented.
Other non-deb distributions might not like this extra file, so it is possible
this may be a Debian and its derivatives thing....
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
> ---
> examples/apparmor/usr.lib.libvirt.virt-aa-helper | 3 +++
> examples/apparmor/usr.sbin.libvirtd | 3 +++
> 2 files changed, 6 insertions(+)
>
> diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> index 012080c..93ba74e 100644
> --- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> +++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> @@ -56,4 +56,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-
> helper {
> /**.vmdk r,
> /**.[iI][sS][oO] r,
> /**/disk{,.*} r,
> +
> + # Site-specific additions and overrides. See local/README for details.
> + #include <local/usr.lib.libvirt.virt-aa-helper>
> }
> diff --git a/examples/apparmor/usr.sbin.libvirtd
> b/examples/apparmor/usr.sbin.libvirtd
> index 353b039..c37d5ee 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -85,4 +85,7 @@
>
> /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
> }
> +
> + # Site-specific additions and overrides. See local/README for details.
> + #include <local/usr.sbin.libvirtd>
> }
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20170515/0098ec25/attachment-0001.sig>
More information about the libvir-list
mailing list