[libvirt] [PATCH] apparmor: add network netlink raw rule

Cédric Bosdonnat posted 1 patch 6 years, 4 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20171109162410.25095-1-cbosdonnat@suse.com
examples/apparmor/usr.sbin.libvirtd | 1 +
1 file changed, 1 insertion(+)
[libvirt] [PATCH] apparmor: add network netlink raw rule
Posted by Cédric Bosdonnat 6 years, 4 months ago
The rule 'network netlink raw' fixes these denials on libvirtd start:

apparmor="DENIED" operation="create" profile="/usr/sbin/libvirtd" pid=12969
comm="libvirtd" family="netlink" sock_type="raw" protocol=0
requested_mask="create" denied_mask="create"
---
 examples/apparmor/usr.sbin.libvirtd | 1 +
 1 file changed, 1 insertion(+)

diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index 819068ffc..8ac5233cc 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -36,6 +36,7 @@
   network inet6 dgram,
   network packet dgram,
   network packet raw,
+  network netlink raw,
 
   ptrace (trace) peer=unconfined,
   ptrace (trace) peer=/usr/sbin/libvirtd,
-- 
2.14.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] apparmor: add network netlink raw rule
Posted by Jim Fehlig 6 years, 4 months ago
On 11/09/2017 09:24 AM, Cédric Bosdonnat wrote:
> The rule 'network netlink raw' fixes these denials on libvirtd start:
> 
> apparmor="DENIED" operation="create" profile="/usr/sbin/libvirtd" pid=12969
> comm="libvirtd" family="netlink" sock_type="raw" protocol=0
> requested_mask="create" denied_mask="create"
> ---
>   examples/apparmor/usr.sbin.libvirtd | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
> index 819068ffc..8ac5233cc 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -36,6 +36,7 @@
>     network inet6 dgram,
>     network packet dgram,
>     network packet raw,
> +  network netlink raw,

This is already included in intrigeri's patchset to fix other apparmor rules

https://www.redhat.com/archives/libvir-list/2017-November/msg00161.html

Regards,
Jim

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] apparmor: add network netlink raw rule
Posted by Cedric Bosdonnat 6 years, 4 months ago
On Thu, 2017-11-09 at 09:43 -0700, Jim Fehlig wrote:
> On 11/09/2017 09:24 AM, Cédric Bosdonnat wrote:
> > The rule 'network netlink raw' fixes these denials on libvirtd start:
> > 
> > apparmor="DENIED" operation="create" profile="/usr/sbin/libvirtd" pid=12969
> > comm="libvirtd" family="netlink" sock_type="raw" protocol=0
> > requested_mask="create" denied_mask="create"
> > ---
> >   examples/apparmor/usr.sbin.libvirtd | 1 +
> >   1 file changed, 1 insertion(+)
> > 
> > diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
> > index 819068ffc..8ac5233cc 100644
> > --- a/examples/apparmor/usr.sbin.libvirtd
> > +++ b/examples/apparmor/usr.sbin.libvirtd
> > @@ -36,6 +36,7 @@
> >     network inet6 dgram,
> >     network packet dgram,
> >     network packet raw,
> > +  network netlink raw,
> 
> This is already included in intrigeri's patchset to fix other apparmor rules
> 
> https://www.redhat.com/archives/libvir-list/2017-November/msg00161.html

Oops, I was too quick, sorry for the noise.

--
Cedric

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list