subject:"\[libvirt\] \[PATCH 07\/10\] apparmor, libvirt\-qemu\: Allow access to ceph config"

Re: [libvirt] [PATCH 07/10] apparmor, libvirt-qemu: Allow access to ceph config

2017-06-16 Thread Guido Günther

On Wed, Jun 07, 2017 at 07:00:56PM +0200, Guido Günther wrote:
> On Wed, Jun 07, 2017 at 10:44:59AM -0600, Christian Ehrhardt wrote:
> > On Fri, Jun 2, 2017 at 12:57 PM, Guido Günther  wrote:
> > 
> > > Shouldn't this only be added when ceph is in use?
> > > Cheers,
> > >  -- Guido
> > >
> > 
> > Yeah it is part of a category of rules where in a perfect world we would
> > wirte virt-aa-helper code for each of them.
> > In this particular case I think the existance of the following would be the
> > trigger:
> > 
> > 
> > [...]
> >  > 
> > Yet for some cases - like this one - the "opening" we are doing in regard
> > to apparmor is quite small and maybe the burden to create (and maintain) it
> > in virt-aa-helper is too much.
> > 
> > So I'd appreciate if that change could be considered as-is - otherwise
> > please let me know - I'll then add it to a bunch of issues of the category
> > "needs to be done in virt-aa-helper" which I already track.
> 
> I was uder the impression that ceph.conf might contain sensitive data
> which we might not want to open up to all domains but looking at
> 
>   http://docs.ceph.com/docs/jewel/rados/configuration/ceph-conf/
> 
> this does not seem to be the case so this is probably o.k.

Pushed. Thanks.
 -- Guido

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 07/10] apparmor, libvirt-qemu: Allow access to ceph config

2017-06-07 Thread Guido Günther

On Wed, Jun 07, 2017 at 10:44:59AM -0600, Christian Ehrhardt wrote:
> On Fri, Jun 2, 2017 at 12:57 PM, Guido Günther  wrote:
> 
> > Shouldn't this only be added when ceph is in use?
> > Cheers,
> >  -- Guido
> >
> 
> Yeah it is part of a category of rules where in a perfect world we would
> wirte virt-aa-helper code for each of them.
> In this particular case I think the existance of the following would be the
> trigger:
> 
> 
> [...]
>  
> Yet for some cases - like this one - the "opening" we are doing in regard
> to apparmor is quite small and maybe the burden to create (and maintain) it
> in virt-aa-helper is too much.
> 
> So I'd appreciate if that change could be considered as-is - otherwise
> please let me know - I'll then add it to a bunch of issues of the category
> "needs to be done in virt-aa-helper" which I already track.

I was uder the impression that ceph.conf might contain sensitive data
which we might not want to open up to all domains but looking at

  http://docs.ceph.com/docs/jewel/rados/configuration/ceph-conf/

this does not seem to be the case so this is probably o.k.
CHeers,
 -- Guido

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 07/10] apparmor, libvirt-qemu: Allow access to ceph config

2017-06-07 Thread Christian Ehrhardt

On Fri, Jun 2, 2017 at 12:57 PM, Guido Günther  wrote:

> Shouldn't this only be added when ceph is in use?
> Cheers,
>  -- Guido
>

Yeah it is part of a category of rules where in a perfect world we would
wirte virt-aa-helper code for each of them.
In this particular case I think the existance of the following would be the
trigger:

[...]
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 07/10] apparmor, libvirt-qemu: Allow access to ceph config

2017-06-02 Thread Guido Günther

On Tue, May 23, 2017 at 06:22:45PM +0200, Stefan Bader wrote:
> From: Serge Hallyn 
> 
> Signed-off-by: Christian Ehrhardt 
> Signed-off-by: Stefan Bader 
> ---
>  examples/apparmor/libvirt-qemu | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index 7fa512f..fddc93a 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -156,6 +156,9 @@
>/sys/bus/ r,
>/sys/class/ r,
>  
> +  # for rbd
> +  /etc/ceph/ceph.conf r,
> +

Shouldn't this only be added when ceph is in use?
Cheers,
 -- Guido

># for ppc device-tree access
>@{PROC}/device-tree/ r,
>@{PROC}/device-tree/** r,
> -- 
> 2.7.4
> 
> --
> libvir-list mailing list
> libvir-list@redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
> 

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH 07/10] apparmor, libvirt-qemu: Allow access to ceph config

2017-05-23 Thread Stefan Bader

From: Serge Hallyn 

Signed-off-by: Christian Ehrhardt 
Signed-off-by: Stefan Bader 
---
 examples/apparmor/libvirt-qemu | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 7fa512f..fddc93a 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -156,6 +156,9 @@
   /sys/bus/ r,
   /sys/class/ r,
 
+  # for rbd
+  /etc/ceph/ceph.conf r,
+
   # for ppc device-tree access
   @{PROC}/device-tree/ r,
   @{PROC}/device-tree/** r,
-- 
2.7.4

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 07/10] apparmor, libvirt-qemu: Allow access to ceph config

Re: [libvirt] [PATCH 07/10] apparmor, libvirt-qemu: Allow access to ceph config

Re: [libvirt] [PATCH 07/10] apparmor, libvirt-qemu: Allow access to ceph config

Re: [libvirt] [PATCH 07/10] apparmor, libvirt-qemu: Allow access to ceph config

[libvirt] [PATCH 07/10] apparmor, libvirt-qemu: Allow access to ceph config

5 matches

Site Navigation

Mail list logo

Footer information