1. Patchew
  2. Libvirt
  3. View series

[libvirt] [PATCH] Apparmor: Support Xen scripts in libexec

Jim Fehlig posted 1 patch 4 years, 6 months ago
Test syntax-check passed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20191017034118.8558-1-jfehlig@suse.com
src/security/apparmor/usr.sbin.libvirtd | 1 +
1 file changed, 1 insertion(+)
[libvirt] [PATCH] Apparmor: Support Xen scripts in libexec
Posted by Jim Fehlig 4 years, 6 months ago 
Upstream Xen has traditionally installed various hotplug and
utility scripts in /etc/xen/scripts/. openSUSE is slowly moving
all distribution provided configuration files and scripts from
/etc to /usr. In the case of the Xen scripts provided under
/etc/xen/scripts/, they will be moving to /usr/lib/xen/scripts/.
Adjust the libvirtd Apparmor profile to allow executing scripts
from this location.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
---

If this is deemed too distro-specific I'm happy to maintain a
downstream patch.

 src/security/apparmor/usr.sbin.libvirtd | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd
index 29f9936ad9..b0d23c80f3 100644
--- a/src/security/apparmor/usr.sbin.libvirtd
+++ b/src/security/apparmor/usr.sbin.libvirtd
@@ -104,6 +104,7 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
   /usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
   /etc/libvirt/hooks/** rmix,
   /etc/xen/scripts/** rmix,
+  /usr/{lib,lib64}/xen/scripts/** rmix,
 
   # allow changing to our UUID-based named profiles
   change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
-- 
2.23.0


--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] Apparmor: Support Xen scripts in libexec
Posted by Andrea Bolognani 4 years, 6 months ago 
On Thu, 2019-10-17 at 03:41 +0000, Jim Fehlig wrote:
> Upstream Xen has traditionally installed various hotplug and
> utility scripts in /etc/xen/scripts/. openSUSE is slowly moving
> all distribution provided configuration files and scripts from
> /etc to /usr. In the case of the Xen scripts provided under
> /etc/xen/scripts/, they will be moving to /usr/lib/xen/scripts/.
> Adjust the libvirtd Apparmor profile to allow executing scripts
> from this location.
> 
> Signed-off-by: Jim Fehlig <jfehlig@suse.com>
> ---
> 
> If this is deemed too distro-specific I'm happy to maintain a
> downstream patch.
> 
>  src/security/apparmor/usr.sbin.libvirtd | 1 +
>  1 file changed, 1 insertion(+)

I'm no AppArmor expert but this looks sane enough to me, so

  Reviewed-by: Andrea Bolognani <abologna@redhat.com>

-- 
Andrea Bolognani / Red Hat / Virtualization

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] Apparmor: Support Xen scripts in libexec
Posted by Jim Fehlig 4 years, 6 months ago 
On 10/18/19 8:31 AM, Andrea Bolognani wrote:
> On Thu, 2019-10-17 at 03:41 +0000, Jim Fehlig wrote:
>> Upstream Xen has traditionally installed various hotplug and
>> utility scripts in /etc/xen/scripts/. openSUSE is slowly moving
>> all distribution provided configuration files and scripts from
>> /etc to /usr. In the case of the Xen scripts provided under
>> /etc/xen/scripts/, they will be moving to /usr/lib/xen/scripts/.
>> Adjust the libvirtd Apparmor profile to allow executing scripts
>> from this location.
>>
>> Signed-off-by: Jim Fehlig <jfehlig@suse.com>
>> ---
>>
>> If this is deemed too distro-specific I'm happy to maintain a
>> downstream patch.
>>
>>   src/security/apparmor/usr.sbin.libvirtd | 1 +
>>   1 file changed, 1 insertion(+)
> 
> I'm no AppArmor expert but this looks sane enough to me, so
> 
>    Reviewed-by: Andrea Bolognani <abologna@redhat.com>

Thanks, but I think I should hold off pushing this until other distros make a 
similar change to the Xen scripts location. We are still debating on when to 
make the change in openSUSE :-). Sorry, I pulled the trigger a bit to early on 
this one.

Regards,
Jim

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] Apparmor: Support Xen scripts in libexec
Posted by Andrea Bolognani 4 years, 6 months ago 
On Fri, 2019-10-18 at 14:51 +0000, Jim Fehlig wrote:
> On 10/18/19 8:31 AM, Andrea Bolognani wrote:
> > On Thu, 2019-10-17 at 03:41 +0000, Jim Fehlig wrote:
> > > If this is deemed too distro-specific I'm happy to maintain a
> > > downstream patch.
> > > 
> > >   src/security/apparmor/usr.sbin.libvirtd | 1 +
> > >   1 file changed, 1 insertion(+)
> > 
> > I'm no AppArmor expert but this looks sane enough to me, so
> > 
> >    Reviewed-by: Andrea Bolognani <abologna@redhat.com>
> 
> Thanks, but I think I should hold off pushing this until other distros make a 
> similar change to the Xen scripts location. We are still debating on when to 
> make the change in openSUSE :-). Sorry, I pulled the trigger a bit to early on 
> this one.

I don't think you necessarily need to wait for other distros to
adopt the same change: in my mind, it's perfectly fine to have
multiple distro-specific paths in the profile.

If, however, there are literally zero distros using this specific
path then yes, that makes it too soon :)

-- 
Andrea Bolognani / Red Hat / Virtualization

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.