[libvirt] [PATCH 1/4] apparmor: Fix parthelper, iohelper and virt-aa-helper paths in profiles
Michal Privoznik
mprivozn at redhat.com
Tue Jan 22 16:47:14 UTC 2019
On 1/22/19 3:12 PM, Daniel P. Berrangé wrote:
> On Tue, Jan 22, 2019 at 03:09:17PM +0100, Christian Ehrhardt wrote:
>> On Tue, Jan 22, 2019 at 2:40 PM Michal Privoznik <mprivozn at redhat.com> wrote:
>>>
>>> These helper binaries are installed under libexec dir not lib
>>> dir.
>>>
>>> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
>>> ---
>>> src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 2 +-
>>> src/security/apparmor/usr.sbin.libvirtd | 4 ++--
>>> 2 files changed, 3 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
>>> index de9436872c..e2c336fca0 100644
>>> --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
>>> +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
>>> @@ -33,7 +33,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
>>> deny /dev/mapper/ r,
>>> deny /dev/mapper/* r,
>>>
>>> - /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
>>> + /usr/libexec/virt-aa-helper mr,
>>
>> In a common Debian/Ubuntu installation those are in fact in /usr/lib/libvirt/
>> So this change would break us.
>> To me it seems the current content matches the distro's with apparmor in place.
>> Not sure about Suse here atm.
>>
>> But if we are changing that we should consider making this dependent
>> on --libexecdir as this is where this path really comes from.
>> And Debian/Ubuntu are setting --libexecdir=\${prefix}/lib/libvirt at
>> config time.
>
> Agreed any path in the apparmour profile that is related to libvirt
> should be a variable that is substited in at build time to take account
> of possible distro differences.
Okay, looks like we have an agreement here. We can have .in file from
which the configure will generate the actual file with correct paths.
Plus it will have to deal with renaming so that the file name matches
its path.
Just a side note, the rationale behind these patches is that gentoo has
currently three patches it applies on the top of libvirt git. I'd like
to get rid of them as I had to rebase them quite often recently.
Michal
More information about the libvir-list
mailing list