[PATCH 2/8] apparmor: allow libvirtd to call pygrub
Jamie Strandboge
jamie at canonical.com
Mon Aug 3 15:00:23 UTC 2020
On Mon, 03 Aug 2020, Christian Ehrhardt wrote:
> From: Stefan Bader <stefan.bader at canonical.com>
>
> When using xen through libxl in Debian/Ubuntu it needs to be able to
> call pygrub.
>
> This is placed in a versioned path like /usr/lib/xen-4.11/bin.
> In theory the rule could be more strict by rendering the libexec_dir
> setting pkg-config can derive from libbxen-dev. But that would make
> particular libvirt/xen packages version-depend on each other. It seems
> more reasonable to avoid these versioned dependencies and use a wildcard
> rule instead as it is already in place for libxl-save-helper.
>
> Note: This change was in Debian [1] and Ubuntu [2] for quite some time
> already.
>
> [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931768
> [2]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1326003
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> ---
> src/security/apparmor/usr.sbin.libvirtd.in | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
> index 1e137039e9..312fa4b6d1 100644
> --- a/src/security/apparmor/usr.sbin.libvirtd.in
> +++ b/src/security/apparmor/usr.sbin.libvirtd.in
> @@ -86,6 +86,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
> /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
> /usr/{lib,lib64}/xen/bin/* Ux,
> /usr/lib/xen-*/bin/libxl-save-helper PUx,
> + /usr/lib/xen-*/bin/pygrub PUx,
LGTM. +1 to apply
--
Jamie Strandboge | http://www.canonical.com
More information about the libvir-list
mailing list