AppArmor policy: support merged-/usr.

author intrigeri <intrigeri@debian.org>

Sat, 3 Dec 2016 18:32:48 +0000 (18:32 +0000)

committer Daniel P. Berrange <berrange@redhat.com>

Mon, 12 Dec 2016 14:08:35 +0000 (14:08 +0000)
author intrigeri <intrigeri@debian.org>
Sat, 3 Dec 2016 18:32:48 +0000 (18:32 +0000)
committer Daniel P. Berrange <berrange@redhat.com>
Mon, 12 Dec 2016 14:08:35 +0000 (14:08 +0000)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu

index 11381d4df0fdbd7167d3959bdf1ed97360b65e25..133c2eb093f8ec65e2a486c979394ec06b1d2244 100644 (file)
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -136,12 +136,12 @@
    /usr/{lib,lib64}/qemu/block-rbd.so mr,
  
    # for save and resume
-  /bin/dash rmix,
-  /bin/dd rmix,
-  /bin/cat rmix,
+  /{usr/,}bin/dash rmix,
+  /{usr/,}bin/dd rmix,
+  /{usr/,}bin/cat rmix,
  
    # for restore
-  /bin/bash rmix,
+  /{usr/,}bin/bash rmix,
  
    # for usb access
    /dev/bus/usb/ r,
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper

index b34fb353263e373f2844d48c996741ecc878d6bb..4a8f197048c7184c15f4760fef044d0cb156360b 100644 (file)
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -21,7 +21,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
    /sys/devices/** r,
  
    /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
-  /sbin/apparmor_parser Ux,
+  /{usr/,}sbin/apparmor_parser Ux,
  
    /etc/apparmor.d/libvirt/* r,
    /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd

index 48651b28f36d89986c11a9d24d15cb8df66b5b87..934124b80f60954b6a8ab9d4f7d4f1cbc7c56f63 100644 (file)
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -47,12 +47,12 @@
    /usr/bin/* PUx,
    /usr/sbin/virtlogd pix,
    /usr/sbin/* PUx,
-  /lib/udev/scsi_id PUx,
+  /{usr/,}lib/udev/scsi_id PUx,
    /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
    /usr/{lib,lib64}/xen/bin/* Ux,
  
    # force the use of virt-aa-helper
-  audit deny /sbin/apparmor_parser rwxl,
+  audit deny /{usr/,}sbin/apparmor_parser rwxl,
    audit deny /etc/apparmor.d/libvirt/** wxl,
    audit deny /sys/kernel/security/apparmor/features rwxl,
    audit deny /sys/kernel/security/apparmor/matching rwxl,
author	intrigeri <intrigeri@debian.org>
	Sat, 3 Dec 2016 18:32:48 +0000 (18:32 +0000)
committer	Daniel P. Berrange <berrange@redhat.com>
	Mon, 12 Dec 2016 14:08:35 +0000 (14:08 +0000)
examples/apparmor/libvirt-qemu		patch \| blob \| blame \| history
examples/apparmor/usr.lib.libvirt.virt-aa-helper		patch \| blob \| blame \| history
examples/apparmor/usr.sbin.libvirtd		patch \| blob \| blame \| history