From 5f6ccb087545aec6e57b5ef98d707be11c7b6259 Mon Sep 17 00:00:00 2001
From: Tom <libvirt-patch@douile.com>
Date: Tue, 20 Aug 2024 23:30:59 +0000
Subject: [PATCH] Allow apparmor parser to be executed in /usr/bin

This commit modifies the AppArmor profile for virt-aa-helper to
accommodate an observed behavior in certain Linux distributions,
such as ArchLinux.

In these distributions, /usr/sbin symlinks to /usr/bin. To ensure
that virt-aa-helper can execute apparmor_parser when it resides
in /usr/bin, the profile has been updated accordingly.

Signed-off-by: Tom <libvirt-patch@douile.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
---
 src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
index 26ee20a17d..44645c6989 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -41,7 +41,7 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
   deny /dev/mapper/* r,
 
   @libexecdir@/virt-aa-helper mr,
-  /{usr/,}sbin/apparmor_parser Ux,
+  /{usr/,}{s,}bin/apparmor_parser Ux,
 
   @sysconfdir@/apparmor.d/libvirt/* r,
   @sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,