Hi,
On Sun, 24 May 2015 16:51:27 +0000 Luke Faraone <lfara...@debian.org> wrote:
> On Sun, 2015-05-24 at 09:43 +0200, Guido Günther wrote:
> > Hi,
> > thanks for the patch.
> > On Sun, May 24, 2015 at 12:14:48AM +0000, Luke Faraone wrote:
> > [..snip..]
> > > --- usr.lib.libvirt.virt-aa-helper 2015-05-23 23:43:44.751750819
> > > +0000
> > > +++ /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper 2015-05-24
> > > 00:03:13.039766331 +0000
> > > @@ -1,7 +1,7 @@
> > > # Last Modified: Mon Apr 5 15:10:27 2010
> > > #include <tunables/global>
> > >
> > > -/usr/lib/libvirt/virt-aa-helper {
> > > +/usr/lib/libvirt/virt-aa-helper flags=(complain) {
> >
> > Is that one needed as well or is it rather a debugging leftover?
>
> Oops, you're right, this was just for debugging. Sorry about that.
I think the problems you are seeing are entirely because of bug #786652.
These denials should be harmless therefore I propose the attached patch.
This is also aligned with what Ubuntu does in their virt-aa-helper profile.
Cheers,
Felix
--- libvirt-1.2.16.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ libvirt-1.2.16/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -16,9 +16,16 @@ profile virt-aa-helper /usr/{lib,lib64}/
owner @{PROC}/[0-9]*/status r,
@{PROC}/filesystems r,
+ /etc/libnl-3/classid r,
+
# for hostdev
/sys/devices/ r,
/sys/devices/** r,
+ deny /dev/sd* r,
+ deny /dev/vd* r,
+ deny /dev/dm-* r,
+ deny /dev/mapper/ r,
+ deny /dev/mapper/* r,
/usr/{lib,lib64}/libvirt/virt-aa-helper mr,
/sbin/apparmor_parser Ux,
