http://bugzilla.opensuse.org/show_bug.cgi?id=1058847
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847#c14
--- Comment #14 from James Fehlig
Can you please send v3? ;-)
I sent it based on Jamie's feedback, before seeing this response :-/.
+ ptrace (tace) peer=(label= {profile_name}),
should be
+ ptrace (trace) peer=@{profile_name},
That's "trace" instead of "tace", you'll need an @ to prefix variables, and ptrace rules don't accept the "peer=(label=...)" syntax ;-)
I verified apparmor_parser actually succeeds this time.
That said - what's the intention of this rule? IMHO the other two should be enough. (See also Jamie's mail https://www.redhat.com/archives/libvir-list/2017-September/msg00841.html - but he also missed the @ for the variable)
This rule was a failed attempt to squelch the below denial
type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=8342 comm="libvirtd" requested_mask="trace" denied_mask="trace" peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
Your added rules don't cover this, so you'll probably need another rule ptrace trace peer=libvirt-*,
Added in V3 https://www.redhat.com/archives/libvir-list/2017-September/msg00844.html
Also, it looks like you need to add /etc/libnl/classid r, to the virt-aa-helper profile.
I'll send a separate patch for that one. -- You are receiving this mail because: You are on the CC list for the bug.