http://bugzilla.opensuse.org/show_bug.cgi?id=1065123 http://bugzilla.opensuse.org/show_bug.cgi?id=1065123#c6 --- Comment #6 from Christian Boltz <suse-beta@cboltz.de> --- (In reply to James Fehlig from comment #4)
Hmm, already mentioned in #0, but I missed sending/receiving signals from unconfined processes. The out-of-the-box default is to run QEMU/KVM instances unconfined (security_default_confined = 0 in /etc/libvirt/qemu.conf), hence no signals can be sent to reap the processes when doing e.g. 'virsh destroy dom'.
Ah, that explains peer=unconfined - intrigeri already wondered why it's needed, so please add this detail when upstreaming this rule.
I'll add a downstream patch to allow signals, but I'm not sure how restrictive the rule should be. Christian, perhaps I'll start with your suggestion but include 'hup'. E.g.
signal send set=(term,kill,hup) peer=unconfined,
I only noticed term and kill in my tests, but in comparison, hup is harmless ;-)
I think the following is a bit too loose
signal (read, send) peer=unconfined,
Right, that would allow way too much. -- You are receiving this mail because: You are on the CC list for the bug.