[PATCH] apparmor: Allow /usr/libexec for libxl-save-helper and pygrub

Jim Fehlig jfehlig at suse.com
Tue Sep 22 22:34:22 UTC 2020

Like other distros, openSUSE Tumbleweed recently changed libexecdir from
/usr/lib to /usr/libexec. Add it as an allowed path for libxl-save-helper
and pygrub.

Signed-off-by: Jim Fehlig <jfehlig at suse.com>

I considered including /usr/lib64, but I don't think any distros are
installing xen libexecdir targets to /usr/lib64. Happy to include it
if I'm wrong :-).

 src/security/apparmor/usr.sbin.libvirtd.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
index f2030764cd..bf4563e1e8 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -86,8 +86,8 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
   /{usr/,}lib/udev/scsi_id PUx,
   /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
   /usr/{lib,lib64}/xen/bin/* Ux,
-  /usr/lib/xen-*/bin/libxl-save-helper PUx,
-  /usr/lib/xen-*/bin/pygrub PUx,
+  /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx,
+  /usr/{lib,libexec}/xen-*/bin/pygrub PUx,
   /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
   /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,

