1. Patchew
  2. Libvirt
  3. [PATCH 0/8] Further Debian/Ubuntu Apparmor Delta
  4. View patch

[PATCH 1/8] apparmor: allow default pki path

Christian Ehrhardt posted 8 patches 5 years, 6 months ago
There is a newer version of this series
[PATCH 1/8] apparmor: allow default pki path
Posted by Christian Ehrhardt 5 years, 6 months ago 
From: Sam Hartman <hartmans@debian.org>

/etc/pki/qemu is a pki path recommended by qemu tls docs [1]
and one that can cause issues with spice connections when missing.

Add the path to the allowed list of pki paths to fix the issue.

Note: this is active in Debian/Ubuntu [1] for quite a while already.

[1]: https://www.qemu.org/docs/master/system/tls.html
[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930100

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
 src/security/apparmor/libvirt-qemu | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 1a4b226612..2d08d6f7ad 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -94,6 +94,8 @@
   /etc/pki/CA/* r,
   /etc/pki/libvirt{,-spice,-vnc}/ r,
   /etc/pki/libvirt{,-spice,-vnc}/** r,
+  /etc/pki/qemu/ r,
+  /etc/pki/qemu/** r,
 
   # the various binaries
   /usr/bin/kvm rmix,
-- 
2.27.0
Re: [PATCH 1/8] apparmor: allow default pki path
Posted by Jamie Strandboge 5 years, 6 months ago 
On Mon, 03 Aug 2020, Christian Ehrhardt wrote:

> From: Sam Hartman <hartmans@debian.org>
> 
> /etc/pki/qemu is a pki path recommended by qemu tls docs [1]
> and one that can cause issues with spice connections when missing.
> 
> Add the path to the allowed list of pki paths to fix the issue.
> 
> Note: this is active in Debian/Ubuntu [1] for quite a while already.
> 
> [1]: https://www.qemu.org/docs/master/system/tls.html
> [2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930100
> 
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> ---
>  src/security/apparmor/libvirt-qemu | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> index 1a4b226612..2d08d6f7ad 100644
> --- a/src/security/apparmor/libvirt-qemu
> +++ b/src/security/apparmor/libvirt-qemu
> @@ -94,6 +94,8 @@
>    /etc/pki/CA/* r,
>    /etc/pki/libvirt{,-spice,-vnc}/ r,
>    /etc/pki/libvirt{,-spice,-vnc}/** r,
> +  /etc/pki/qemu/ r,
> +  /etc/pki/qemu/** r,

+1 to apply

-- 
Jamie Strandboge             | http://www.canonical.com

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.