[Pkg-libvirt-maintainers] Bug#892431: AppArmor denies access for libvirt to nova instances directory
aradian at tma-0.net
aradian at tma-0.net
Tue Mar 20 05:24:15 UTC 2018
On 2018-03-18 11:00, intrigeri wrote:
> Thanks for the bug report + debugging + solution!
> I'm reassigning to the package that ships the faulty profile.
>
> Let's submit this to libvirt upstream
> (https://www.redhat.com/mailman/listinfo/libvir-list). Do you want to
> do it yourself or shall I?
It might be best if you could do that, since you're probably much more
familiar with the interaction between AppArmor and libvirt (and the
bug-reporting process) than I am.
> Now, one question before we move this upstream: does virt-aa-helper
> really need write access to /var/lib/nova/instances/**?
> Knowing a little bit what this helper does, I can't imagine why it
> would; and in your logs I see only denied_mask="r".
>
You're right. I did some testing and found that only one rule needed
(for QCOW backing files):
/var/lib/nova/instances/_base/* r
It seems the instance disk images are covered by the existing rule:
/**/disk{,.*} r
>> Probably it would be more appropriate to put that in a separate
>> profile?
>
> I think it's fine to add these lines to usr.lib.libvirt.virt-aa-helper.
>
OK. I wasn't sure, since these rules are specific to Nova.
More information about the Pkg-libvirt-maintainers
mailing list