[libvirt] [PATCH] AppArmor: add rules needed with additional mediation features brought by Linux 4.14.
Jamie Strandboge
jamie at canonical.com
Thu Oct 26 13:45:03 UTC 2017
On Thu, 2017-10-26 at 08:39 -0500, Jamie Strandboge wrote:
> On Thu, 2017-10-26 at 10:22 +0000, intrigeri+libvirt at boum.org wrote:
> > diff --git a/examples/apparmor/usr.sbin.libvirtd
> > b/examples/apparmor/usr.sbin.libvirtd
> > index 819068ffc3..eb24726e08 100644
> > --- a/examples/apparmor/usr.sbin.libvirtd
> > +++ b/examples/apparmor/usr.sbin.libvirtd
> > @@ -30,10 +30,13 @@
> > # Needed for vfio
> > capability sys_resource,
> >
> > + mount,
> > +
>
> This is interesting since the Ubuntu profile is missing mount rules.
> What specific denials/libvirt actions prompted this rule?
>
Responding to myself now that I read the SUSE bug. I actually suggest
using the fine-grained rules in the SUSE patch because it is much
easier to add more rules for more access than to take them away. These
rules are in the 'examples' directory so I think it is expected that a
distribution may need to tailor them from time to time (hopefully
upstreaming their changes! :).
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20171026/472adc05/attachment-0001.sig>
More information about the libvir-list
mailing list