From nobody Mon Feb  9 09:22:51 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.133.124 as permitted sender) client-ip=170.10.133.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail(p=quarantine dis=quarantine)  header.from=suse.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com
	with SMTPS id 1624404709770760.4503453638746;
 Tue, 22 Jun 2021 16:31:49 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-288-3imEbfdkMHCF1JQ5eS0Xww-1; Tue, 22 Jun 2021 19:31:47 -0400
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
 [10.5.11.15])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 3BB4783DD0B;
	Tue, 22 Jun 2021 23:31:42 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 2C1055D6AD;
	Tue, 22 Jun 2021 23:31:40 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 8E9B04A712;
	Tue, 22 Jun 2021 23:31:36 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com
	[10.11.54.4])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 15MNVYSH002325 for <libvir-list@listman.util.phx.redhat.com>;
	Tue, 22 Jun 2021 19:31:34 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 2137E2044008; Tue, 22 Jun 2021 23:31:34 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
	(mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 12516205FAA7
	for <libvir-list@redhat.com>; Tue, 22 Jun 2021 23:31:29 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 7E9EA10146F1
	for <libvir-list@redhat.com>; Tue, 22 Jun 2021 23:31:29 +0000 (UTC)
Received: from de-smtp-delivery-102.mimecast.com
	(de-smtp-delivery-102.mimecast.com [194.104.111.102]) (Using TLS) by
	relay.mimecast.com with ESMTP id us-mta-451-CLL9ASCGMcCqTvi13GtOHw-1;
	Tue, 22 Jun 2021 19:31:20 -0400
Received: from EUR05-AM6-obe.outbound.protection.outlook.com
	(mail-am6eur05lp2107.outbound.protection.outlook.com [104.47.18.107])
	(Using TLS) by relay.mimecast.com with ESMTP id
	de-mta-34-zQRIHX0wNYCDftimCJ-iYQ-1; Wed, 23 Jun 2021 01:28:07 +0200
Received: from AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9)
	by AM8PR04MB7203.eurprd04.prod.outlook.com (2603:10a6:20b:1d5::16)
	with Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.21;
	Tue, 22 Jun 2021 23:28:06 +0000
Received: from AM8PR04MB7970.eurprd04.prod.outlook.com
	([fe80::d8b:c94:eae2:7b22]) by AM8PR04MB7970.eurprd04.prod.outlook.com
	([fe80::d8b:c94:eae2:7b22%6]) with mapi id 15.20.4264.018;
	Tue, 22 Jun 2021 23:28:06 +0000
Received: from localhost (192.150.153.194) by
	FR0P281CA0053.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:48::17)
	with Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.10
	via Frontend Transport; Tue, 22 Jun 2021 23:28:05 +0000
X-MC-Unique: 3imEbfdkMHCF1JQ5eS0Xww-1
X-MC-Unique: CLL9ASCGMcCqTvi13GtOHw-1
X-MC-Unique: zQRIHX0wNYCDftimCJ-iYQ-1
From: Jim Fehlig <jfehlig@suse.com>
To: libvir-list@redhat.com
Subject: [PATCH V2 4/4] Apparmor: Allow reading /etc/ssl/openssl.cnf
Date: Tue, 22 Jun 2021 17:27:47 -0600
Message-ID: <20210622232747.21592-5-jfehlig@suse.com>
In-Reply-To: <20210622232747.21592-1-jfehlig@suse.com>
References: <20210622232747.21592-1-jfehlig@suse.com>
X-Originating-IP: [192.150.153.194]
X-ClientProxiedBy: FR0P281CA0053.DEUP281.PROD.OUTLOOK.COM
	(2603:10a6:d10:48::17) To AM8PR04MB7970.eurprd04.prod.outlook.com
	(2603:10a6:20b:24f::9)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 6e564c94-37bb-4212-e7a6-08d935d5638c
X-MS-TrafficTypeDiagnostic: AM8PR04MB7203:
X-Microsoft-Antispam-PRVS: 
 <AM8PR04MB7203C45C2C4A159BF9BF50FCC6099@AM8PR04MB7203.eurprd04.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:3826
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0
X-Microsoft-Antispam-Message-Info: 
 hwaxhGre07p2S4RdyK/yUaS1IgECbUJEAdHrC/hiKE/3qAdRPsfZUe40sg1+8GA83iS8sxXs3uTmJtYiEAGEXeDKckwrrkhjg50lNB0NUkQr5DJoLwp8k7/qDNcZ4GBrMcfmpewW9MzvAmV1CmjOE4s522yFsM/k9RsoGyylKURXhzyC/Z8cWlTvTJPPG3+pSv9lblaqZVtmhd37jW7VXqji79BiupDxV/3oB0CkQWQH6E/ZoQNafZ7VPiCiySdWJKuGKYKa/KySk1ELDlTxgcXHzeqzgTAm/V7kh/h7jb0BH5+qVAnkbkAeil8HREceWzPw0Yu/iWgxornIQz9enzb1ipExIcxYhyHKnGKukFP5tctJd6vZOv2TAurSwDKLYEBALGo2yl3TH2Lki7LAXqoZk21WUN8VueRFDqz2Z65SgpaRw48KqJHTAJpgkaQTy+jkXWs/FDJER0V/+iAMGQ0U/wnqPeaMVMA2Y1sZ0qN01W4ylT1I7px9W6lKm9vdzG9soZAif42cOH/yyJnsyHBJXd3gs+PievowWrNdwNlsmkLu88lyAludrobTtcsZ8qxvQB7Z6Q0DxRKxxKDigjP8mn+n4jEGvYG8t3PKtuw=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
	IPV:NLI; SFV:NSPM; H:AM8PR04MB7970.eurprd04.prod.outlook.com;
	PTR:; CAT:NONE;
	SFS:(136003)(346002)(39850400004)(366004)(396003)(376002)(6916009)(478600001)(6496006)(8676002)(21480400003)(2906002)(86362001)(316002)(8936002)(186003)(4326008)(26005)(6486002)(16526019)(956004)(36756003)(1076003)(38100700002)(83380400001)(66556008)(66476007)(5660300002)(66946007)(6666004)(2616005);
	DIR:OUT; SFP:1101
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 =?us-ascii?Q?AgctrgQDiNXlWiT2R1hoU8aUBFBIyeA7N7bdj3VBpok9+N+F1kST7E+C+Quu?=
	=?us-ascii?Q?ETC3MtYIIT7QN9jhr6p2hBVvmDzcEEANrhYhmEAZmBtd+ktpJhYCTlM9bFWT?=
	=?us-ascii?Q?xxxwWMtmFVijBEpqtd+oJ7+lEPHa0eVfZQoxekUT/QLNlvY4wPvFsxc+o0bE?=
	=?us-ascii?Q?Ahu8DpNddaUkkjy4YdUbwECVt3zQwRpXzdpYGf3AyPURGb/gwi3fLxlII4TN?=
	=?us-ascii?Q?yx4xy0qkLcxz+7ZEhCl6egr/qs9lhLeq3fR0fL12mRh9NQtNumhBJMHMtKVi?=
	=?us-ascii?Q?pyjHOMiPWO4R6MySaisHTqHWeOkioC7IVEljIHHUHYDcQY2q/g1MjKFInedR?=
	=?us-ascii?Q?uyT37eNJk+nyaI/JcYMgjhoqy+NbvmNHyQlxzj92CKa30t+AN5OebthMDMrT?=
	=?us-ascii?Q?FGY+twaqLx74ZqT7Obzpw4xQn9Ow9Jtoz1DxCxHx4TCou4vSTEO1wCKYrQex?=
	=?us-ascii?Q?qXxo/ESaBJAdnOtCbGTJaXfSBZBVokbBsSSC+8ThqduvT/rXHPVzgGBtYpsp?=
	=?us-ascii?Q?iolQr2mj9EHB2P8KeFFW5g8XPFLmfvWS4s/QbZ6VweKUdZ0eb+0/S2T8+PNy?=
	=?us-ascii?Q?ZuTDJTMvooDJfX7E0yngEp4POg65qT1A7xgpeJj/v65pyiEywEW6yrmEk7py?=
	=?us-ascii?Q?5jihiTmb1LE+JhRWgxUALy++aDECVmUPxEC+/lILH7Ma2qkYj8DhuBBMo/Aj?=
	=?us-ascii?Q?NxB6dKNT+3j3Fpx36ZNnK9Lv4c07wEsxMqTxwla/yaqSRi/TaUGDB/tJfkpW?=
	=?us-ascii?Q?FgB0radXapCvCsvsAdJu03ytK7gtnF+AibTku/8t3d8epT6OkPFmjIXCS4U4?=
	=?us-ascii?Q?As5/lBVfL9hxF/y0DLaqBZ6iLN2DA/AM+sJnNKcuS3oYorffz1PYRl1l1liw?=
	=?us-ascii?Q?LyX1e4vpJp9s+xQbqklX2qCB+B1hBYU69LWEQi+4+GA49NHIGCbJ+YTjhwup?=
	=?us-ascii?Q?3iu3pqW3mvf4Ab50bj0MRYkOmO8vRKByk2zayl89q3qG5lGe/e0DrQwlUkQg?=
	=?us-ascii?Q?MftURoc1BoWXBS4RpEW2eZTzFi8O0zESZmqsFbF0yaMCSEKYmyHc+fAs4Ekv?=
	=?us-ascii?Q?fJMgqZPPQ60oE1P1sIxhS3pKuSnBdAVqONv5PXGgO/mwyv/sWZsy6cYBPeF5?=
	=?us-ascii?Q?jWrLEmlsSoUQ0/kRKyrFsWA84uvPB0go9yXEotRPaO4XF7kmQnN3ViLY2imR?=
	=?us-ascii?Q?T7vjeuiunN6yJM+nDZZoaYVjONGisSwyqJdPGieV8H1Bbsk1c69x3dmzEq2/?=
	=?us-ascii?Q?zM4l9nq9mhXRotPKKJUQqyYbWbjEhlvOHlBJxdYRhs8G4a6ve1MzcMyF3Bmp?=
	=?us-ascii?Q?+hzPAD69fuJRoTjKN35owXE/?=
X-OriginatorOrg: suse.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 6e564c94-37bb-4212-e7a6-08d935d5638c
X-MS-Exchange-CrossTenant-AuthSource: AM8PR04MB7970.eurprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jun 2021 23:28:06.5693 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 6cBe6+6ElFg6XJTIzrQLHwAP2lmm4hntwVFdFceCCHpq3DyyYCKkU0edv8oD0kxR/85ZIAvpysrkt+ZflhBg8Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8PR04MB7203
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
	Definition; Similar Internal Domain=false;
	Similar Monitored External Domain=false;
	Custom External Domain=false; Mimecast External Domain=false;
	Newly Observed Domain=false; Internal User Name=false;
	Custom Display Name List=false; Reply-to Address Mismatch=false;
	Targeted Threat Dictionary=false;
	Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-MIME-Autoconverted: from quoted-printable to 8bit by
	lists01.pubmisc.prod.ext.phx2.redhat.com id 15MNVYSH002325
X-loop: libvir-list@redhat.com
Cc: apparmor@cboltz.de, christian.ehrhardt@canonical.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://listman.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

I noticed the following denial when running confined VMs with the QEMU
driver

type=3DAVC msg=3Daudit(1623865089.263:865): apparmor=3D"DENIED" operation=
=3D"open" \
profile=3D"virt-aa-helper" name=3D"/etc/ssl/openssl.cnf" pid=3D12503 \
comm=3D"virt-aa-helper" requested_mask=3D"r" denied_mask=3D"r" fsuid=3D0 ou=
id=3D0

Allow reading the file by including the openssl abstraction in the
virt-aa-helper profile.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
 src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/=
security/apparmor/usr.lib.libvirt.virt-aa-helper.in
index 8ebb47596a..ff1d46bebe 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -2,6 +2,7 @@
=20
 profile virt-aa-helper @libexecdir@/virt-aa-helper {
   #include <abstractions/base>
+  #include <abstractions/openssl>
=20
   # needed for searching directories
   capability dac_override,
--=20
2.31.1