http://bugzilla.opensuse.org/show_bug.cgi?id=1065123 http://bugzilla.opensuse.org/show_bug.cgi?id=1065123#c2 --- Comment #2 from Christian Boltz <suse-beta@cboltz.de> --- (In reply to James Fehlig from comment #1)
(In reply to Christian Boltz from comment #0)
signal send set=hup peer=/usr/sbin/dnsmasq, signal send set=(term,kill) peer=unconfined,
These are the ones needed in SLE15. Note that Jamie suggested changing the signal rules to
signal (send) peer=/usr/sbin/dnsmasq, signal (send) peer=libvirt-*,
Removing the set=... means to allow all signals, so this is fine. The rule with peer=libvirt-* also makes sense. The interesting question is if peer=unconfined (sending a signal to a program running without AppArmor confinement) is needed - IIRC I've seen such an event in my audit.log, but I'm not sure what it was. I'll re-test when the updated profile enters Tumbleweed.
Also, several mount rules are needed - either as a generous "mount," rule (as proposed by intrigeri as a quick fix to allow mounting everything), or with the following detailed rules (which are more restrictive, but might still need some adjustments) ... intrigeri included these rules in V3 of his series
https://www.redhat.com/archives/libvir-list/2017-November/msg00162.html
Yeah, he already joked that this is a real cross-distribution patchset: <intrigeri> it's nice to have a PR (libvirt upstream) prepared by a Debian person, that integrates work coming from openSUSE, and reviewed by an Ubuntu person :) <intrigeri> + chances are it's merged by a Red Hat person :)
I think patch1 is fine and has essentially already been ACKed by Jamie. I'd prefer Jamie's feedback on patch2 as well, since I'm far from an apparmor expert.
The quick summary is that the detailed mount rules are more restrictive than the general "mount," rule (which allows all mounting).
Even though they are not yet committed upstream, I'll add these patches to the Factory libvirt package so libvirt will actually work with latest TW and SLE15.
Thanks! -- You are receiving this mail because: You are on the CC list for the bug.