Hi,
Jamie Strandboge:
> These rules are unfortunate, but it is important to note that this is
> in the libvirtd profile, not the guest profiles. As mentioned in the
> contextual diff, the profile is intentionally very lenient since
> libvirtd is necessarily highly trusted. As Christian mentioned,
On Fri, 2017-12-15 at 08:52 +0100, Christian Ehrhardt wrote:
> If a guest runs unconfined , but libvirtd is
> confined then the peer for signal/ptrace can only be detected as
> 'unconfined'. That triggers issues like:
>apparmor="DENIED" operation="signal"
>profile="/usr/sbin/libvirtd" pid=2
If a guest runs unconfined , but libvirtd is
confined then the peer for signal/ptrace can only be detected as
'unconfined'. That triggers issues like:
apparmor="DENIED" operation="signal"
profile="/usr/sbin/libvirtd" pid=22395 comm="libvirtd"
requested_mask="send" denied_mask="send" signal