Comment # 14 on bug 1058847 from 
(In reply to Christian Boltz from comment #13)
> Can you please send v3? ;-)

I sent it based on Jamie's feedback, before seeing this response :-/.

> +  ptrace (tace) peer=(label= {profile_name}),
> 
> should be 
> 
> +  ptrace (trace) peer=@{profile_name},
> 
> That's "trace" instead of "tace", you'll need an @ to prefix variables, and
> ptrace rules don't accept the "peer=(label=...)" syntax ;-)

I verified apparmor_parser actually succeeds this time.

> That said - what's the intention of this rule? IMHO the other two should be
> enough. (See also Jamie's mail
> https://www.redhat.com/archives/libvir-list/2017-September/msg00841.html -
> but he also missed the @ for the variable)

This rule was a failed attempt to squelch the below denial

> type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED"
> operation="ptrace" profile="/usr/sbin/libvirtd" pid=8342
> comm="libvirtd" requested_mask="trace" denied_mask="trace"
> peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
> 
> Your added rules don't cover this, so you'll probably need another rule 
>     ptrace trace peer=libvirt-*,

Added in V3

https://www.redhat.com/archives/libvir-list/2017-September/msg00844.html

> Also, it looks like you need to add
>   /etc/libnl/classid r,
> to the virt-aa-helper profile.

I'll send a separate patch for that one.

You are receiving this mail because: