File libvirt.apparmor-fixes.patch of Package libvirt-7.4.0

Overview Repositories Revisions Requests Users Attributes Meta

File libvirt.apparmor-fixes.patch of Package libvirt-7.4.0

From: Olaf Hering <olaf@aepfle.de>
Date: Wed, 21 Feb 2018 10:03:48 +0000
Subject: apparmor-fixes

---
 src/security/apparmor/libvirt-qemu         | 5 +++++
 src/security/apparmor/usr.sbin.libvirtd.in | 2 ++
 2 files changed, 7 insertions(+)

--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -92,24 +92,26 @@
   /usr/share/slof/** r,
   /usr/share/vgabios/** r,
 
   # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140)
   /etc/pki/CA/ r,
   /etc/pki/CA/* r,
   /etc/pki/libvirt{,-spice,-vnc}/ r,
   /etc/pki/libvirt{,-spice,-vnc}/** r,
   /etc/pki/qemu/ r,
   /etc/pki/qemu/** r,
 
   # the various binaries
+  /usr/lib/xen/bin/qemu-system-i386 rmix,
+  /usr/libexec/xen/bin/qemu-system-i386 rmix,
   /usr/bin/kvm rmix,
   /usr/bin/kvm-spice rmix,
   /usr/bin/qemu rmix,
   /usr/bin/qemu-aarch64 rmix,
   /usr/bin/qemu-alpha rmix,
   /usr/bin/qemu-arm rmix,
   /usr/bin/qemu-armeb rmix,
   /usr/bin/qemu-cris rmix,
   /usr/bin/qemu-i386 rmix,
   /usr/bin/qemu-kvm rmix,
   /usr/bin/qemu-m68k rmix,
   /usr/bin/qemu-microblaze rmix,
@@ -179,24 +181,27 @@
   /{usr/,}bin/swtpm rmix,
   /usr/{lib,lib64}/libswtpm_libtpms.so mr,
   /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
 
   # for save and resume
   /{usr/,}bin/dash rmix,
   /{usr/,}bin/dd rmix,
   /{usr/,}bin/cat rmix,
 
   # for restore
   /{usr/,}bin/bash rmix,
 
+  /run/nscd/passwd r,
+  /run/nscd/group r,
+
   # for usb access
   /dev/bus/usb/ r,
   /etc/udev/udev.conf r,
   /sys/bus/ r,
   /sys/class/ r,
 
   # for rbd
   /etc/ceph/ceph.conf r,
 
   # Various functions will need to enumerate /tmp (e.g. ceph), allow the base
   # dir and a few known functions like samba support.
   # We want to avoid to give blanket rw permission to everything under /tmp,
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -81,24 +81,26 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
   /bin/* PUx,
   /sbin/* PUx,
   /usr/bin/* PUx,
   @sbindir@/virtlogd pix,
   @sbindir@/* PUx,
   /{usr/,}lib/udev/scsi_id PUx,
   /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
   /usr/{lib,lib64}/xen/bin/* Ux,
   /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx,
   /usr/{lib,libexec}/xen-*/bin/pygrub PUx,
   /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
   /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
+  /usr/lib64/qemu-*.*/bin/qemu-system-i386 rmix,
+  /usr/lib64/qemu-*.*/bin/qemu-system-x86_64 rmix,
 
   # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
   # read and run an ebtables script.
   /var/lib/libvirt/virtd* ixr,
 
   # force the use of virt-aa-helper
   audit deny /{usr/,}sbin/apparmor_parser rwxl,
   audit deny /etc/apparmor.d/libvirt/** wxl,
   audit deny /sys/kernel/security/apparmor/features rwxl,
   audit deny /sys/kernel/security/apparmor/matching rwxl,
   audit deny /sys/kernel/security/apparmor/.* rwxl,
   /sys/kernel/security/apparmor/profiles r,

Places

File libvirt.apparmor-fixes.patch of Package libvirt-7.4.0

Places