[Pkg-libvirt-maintainers] Bug#725144: Bug#725144: libvirt-bin: Please build with apparmor support.
Felix Geyer
fgeyer at debian.org
Sat Jan 4 19:03:14 UTC 2014
Hi,
On 04.01.2014 18:19, Guido Günther wrote:
> Hi Felix,
> On Fri, Jan 03, 2014 at 10:58:14PM +0100, Felix Geyer wrote:
>> I've ported and tested the libvirt AppArmor support from the Ubuntu package.
>>
>> The only difference in the profiles is this addition to usr.lib.libvirt.virt-aa-helper:
>> /etc/libnl-[0-9]/classid r,
>>
>> It can be enabled by setting this in /etc/libvirt/qemu.conf:
>> security_driver = "apparmor"
>
> Can you please work on upsreaming this? I don't see why this should be
> in the Debian package. Who is going to maintain this policies in the
> future?
> Cheers,
> -- Guido
The upstream source already contains example profiles. It's generally not feasible to
maintain AppArmor profiles upstream because of distro differences and changes.
The profiles usr.sbin.libvirtd and usr.lib.libvirt.virt-aa-helper could be easily
maintained in a separate apparmor profile package. intrigeri proposed a
apparmor-profiles-extra package [1] that would be maintained by an AppArmor Debian team.
I am committed to maintain the libvirt profiles.
Having libvirt-qemu outside of libvirt is problematic because the AppArmor driver of
libvirt uses it to generate profiles for the VMs. When it's missing starting VMs will
fail (when the AppArmor driver is enabled).
Cheers,
Felix
[1] https://lists.ubuntu.com/archives/apparmor/2014-January/004876.html
More information about the Pkg-libvirt-maintainers
mailing list