apparmor: add ro rule for sasl GSSAPI plugin on /etc/gss/mech.d/

If a system has sasl GSSAPI plugin available qemu with sasl support will
try to read /etc/gss/mech.d/.

It is required to allow that to let the modules fully work and it should
be safe to do so as it only registers/configures plugins but has no secrets.

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 950b0428268df070110fffe280d13f514e1d012c..2c476522500b022f251241c30431004df41f647d 100644 (file)
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -192,3 +192,7 @@
   # silence refusals to open lttng files (see LP: #1432644)
   deny /dev/shm/lttng-ust-wait-* r,
   deny /run/shm/lttng-ust-wait-* r,
+
+  # required for sasl GSSAPI plugin
+  /etc/gss/mech.d/ r,
+  /etc/gss/mech.d/* r,