[Pkg-libvirt-maintainers] Bug#725144: Bug#725144: libvirt-bin: Please build with apparmor support.
Guido Günther
agx at sigxcpu.org
Wed Jan 22 06:27:21 UTC 2014
Hi Felix,
On Tue, Jan 21, 2014 at 11:04:06PM +0100, Felix Geyer wrote:
[..snip..]
> I'll have a more detailed look at the differences between the upstream and
> Ubuntu profiles tomorrow to see which parts are upstreamable.
> Would you accept a patch with the necessary profile changes in the meantime?
> The policies shipped by upstream don't work as they are right now (starting VMs fails).
I'm fine with a patch against a libvirt built with
--with-apparmor-profiles (which I we added upstream to ease basing
profiles on the upstream work). This will allow us to upstream profile
changes as necessary and avoid lots of unnecessary duplictaion. Please
already remove the Ubuntu specific parts like the encfs stuff among
other things.
[..snip..]
> I was wrong about when the apparmor driver is enabled:
> It's automatically enabled when /usr/sbin/libvirtd has an apparmor profile attached to it
> and /etc/apparmor.d/libvirt/TEMPLATE exists. There's no need to enable it in the config.
That's what I read from the sources however for libvird but I'm haven't
checked yet if you need to enable it for qemu vm confinement.
> So it would be feasible to maintain the profiles in a separate package. Personally I'd
> prefer to ship them in libvirt since it requires some integration work and is not just
> a profile that you stick into /etc/apparmor.d/.
I'm fine with shipping it if we try to minimize the diff.
> I see you've already enabled the apparmor driver but the required binary
> /usr/lib/libvirt/virt-aa-helper is not installed into libvirt-bin.
I meant to include this too. An oversight on my part.
> The postinst, postrm and cron.daily parts of my original patch are also desirable.
> For example without the postinst changes the profiles are only loaded after a reboot.
The whole setup currently has the problem that it doesn't allow for a
read only /etc and that it removes files out of /etc/ which can confuse
users. The generated profiles shouldn't life in /etc but in
/var/cache/libvirt/apparmor. Once this is moved we can clean the up. Can
you fix that up (e.g. by a symlink).
The postinst part is fine but we should move tha aa-status call out of
the loop. No need to do it several times:
if aa-status --enabled 2>/dev/null; then
....
fi
Thanks for working on this!
Cheers,
-- Guido
More information about the Pkg-libvirt-maintainers
mailing list