[Pkg-libvirt-maintainers] Bug#786650: virt-aa-helper: incomplete apparmor profile
Felix Geyer
fgeyer at debian.org
Thu Aug 20 09:18:59 UTC 2015
On 20.08.2015 09:54, intrigeri wrote:
> Guido Günther wrote (19 Aug 2015 16:56:46 GMT) :
>>> # for hostdev
>>> /sys/devices/ r,
>>> /sys/devices/** r,
>>> + deny /dev/sd* r,
>>> + deny /dev/vd* r,
>>> + deny /dev/dm-* r,
>>> + deny /dev/mapper/ r,
>>> + deny /dev/mapper/* r,
>> ...what is this for? We don't have this hunk upstream either.
> It apparently comes from the Ubuntu delta.
>
> I'll try to bzr branch
> https://code.launchpad.net/~ubuntu-branches/ubuntu/wily/libvirt/wily
> later (likely not today) and see if there's an explanation in there.
>
> Felix or anyone else, feel free to be faster than me :)
That bzr tree hasn't been updated in a long while.
The deny rules aren't strictly necessary but they silence those (harmless) denials.
I'm not quite sure why virt-aa-helper opens the devices in the first place.
We need to look into how to push this upstream.
Through modifying the helper or the profile.
Cheers,
Felix
More information about the Pkg-libvirt-maintainers
mailing list