From de79efdeb8558bbdb3677dbcaaebf7c50cb3bab4 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sat, 3 Dec 2016 18:32:48 +0000 Subject: [PATCH] AppArmor policy: support merged-/usr. Acked-by: Christian Ehrhardt --- examples/apparmor/libvirt-qemu | 8 ++++---- examples/apparmor/usr.lib.libvirt.virt-aa-helper | 2 +- examples/apparmor/usr.sbin.libvirtd | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 11381d4df0..133c2eb093 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -136,12 +136,12 @@ /usr/{lib,lib64}/qemu/block-rbd.so mr, # for save and resume - /bin/dash rmix, - /bin/dd rmix, - /bin/cat rmix, + /{usr/,}bin/dash rmix, + /{usr/,}bin/dd rmix, + /{usr/,}bin/cat rmix, # for restore - /bin/bash rmix, + /{usr/,}bin/bash rmix, # for usb access /dev/bus/usb/ r, diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper index b34fb35326..4a8f197048 100644 --- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper +++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper @@ -21,7 +21,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { /sys/devices/** r, /usr/{lib,lib64}/libvirt/virt-aa-helper mr, - /sbin/apparmor_parser Ux, + /{usr/,}sbin/apparmor_parser Ux, /etc/apparmor.d/libvirt/* r, /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 48651b28f3..934124b80f 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -47,12 +47,12 @@ /usr/bin/* PUx, /usr/sbin/virtlogd pix, /usr/sbin/* PUx, - /lib/udev/scsi_id PUx, + /{usr/,}lib/udev/scsi_id PUx, /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, /usr/{lib,lib64}/xen/bin/* Ux, # force the use of virt-aa-helper - audit deny /sbin/apparmor_parser rwxl, + audit deny /{usr/,}sbin/apparmor_parser rwxl, audit deny /etc/apparmor.d/libvirt/** wxl, audit deny /sys/kernel/security/apparmor/features rwxl, audit deny /sys/kernel/security/apparmor/matching rwxl,