[PATCH V2 4/4] Apparmor: Allow reading /etc/ssl/openssl.cnf
Jim Fehlig
jfehlig at suse.com
Tue Jun 22 23:27:47 UTC 2021
I noticed the following denial when running confined VMs with the QEMU
driver
type=AVC msg=audit(1623865089.263:865): apparmor="DENIED" operation="open" \
profile="virt-aa-helper" name="/etc/ssl/openssl.cnf" pid=12503 \
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Allow reading the file by including the openssl abstraction in the
virt-aa-helper profile.
Signed-off-by: Jim Fehlig <jfehlig at suse.com>
---
src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
index 8ebb47596a..ff1d46bebe 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -2,6 +2,7 @@
profile virt-aa-helper @libexecdir@/virt-aa-helper {
#include <abstractions/base>
+ #include <abstractions/openssl>
# needed for searching directories
capability dac_override,
--
2.31.1
More information about the libvir-list
mailing list