Re: [libvirt] [PATCH 07/10] apparmor: include local apparmor profiles

2017-05-15 Thread Stefan Bader 
On 15.05.2017 16:30, Jamie Strandboge wrote:
> On Mon, 2017-05-15 at 09:28 -0500, Jamie Strandboge wrote:
>> On Mon, 2017-05-15 at 15:23 +0200, Stefan Bader wrote:
>>> From: Felix Geyer 
>>>
>>> Local overrides is a feature Debian/Ubuntu libvirt provided for a while.
>>> This allows the user to have a non-conffile that he can use to extend the
>>> package delivered rules with extra content matching his special case.
>>>
>>> This change adds the include directives to the apparmor profiles
>>> for virt-aa-helper and libvirtd.
>>>
>>
>> I'm fine with this change but it is important to understand that
>> /etc/apparmor.d/local/usr.sbin.libvirtd must exist otherwise the profile will
>> fail to load. In Debian/Ubuntu we use dh_apparmor which takes care of this 
>> for
>> us. If this is upstreamed, then wherever install of the profile happens or is
>> documented, then the local changes file needs to also be 
>> installed/documented.
>> Other non-deb distributions might not like this extra file, so it is possible
>> this may be a Debian and its derivatives thing
>>
> 
> Oh heh, I see you adjusted the Makefile.am for this in 08. Thanks!

Yeah, I guess it could make sense to merge those two changes into one. I was
just hesitating initially as the first part came via Debian and the latter is
and extension I did. Admittedly it is not completely consistent as I did merge
for other things.

> 
> 
> 
> --
> libvir-list mailing list
> libvir-list@redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
> 




signature.asc
Description: OpenPGP digital signature
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 07/10] apparmor: include local apparmor profiles

2017-05-15 Thread Jamie Strandboge 
On Mon, 2017-05-15 at 09:28 -0500, Jamie Strandboge wrote:
> On Mon, 2017-05-15 at 15:23 +0200, Stefan Bader wrote:
> > From: Felix Geyer 
> > 
> > Local overrides is a feature Debian/Ubuntu libvirt provided for a while.
> > This allows the user to have a non-conffile that he can use to extend the
> > package delivered rules with extra content matching his special case.
> > 
> > This change adds the include directives to the apparmor profiles
> > for virt-aa-helper and libvirtd.
> > 
> 
> I'm fine with this change but it is important to understand that
> /etc/apparmor.d/local/usr.sbin.libvirtd must exist otherwise the profile will
> fail to load. In Debian/Ubuntu we use dh_apparmor which takes care of this for
> us. If this is upstreamed, then wherever install of the profile happens or is
> documented, then the local changes file needs to also be installed/documented.
> Other non-deb distributions might not like this extra file, so it is possible
> this may be a Debian and its derivatives thing
> 

Oh heh, I see you adjusted the Makefile.am for this in 08. Thanks!

-- 
Jamie Strandboge | http://www.canonical.com

signature.asc
Description: This is a digitally signed message part
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 07/10] apparmor: include local apparmor profiles

2017-05-15 Thread Jamie Strandboge 
On Mon, 2017-05-15 at 15:23 +0200, Stefan Bader wrote:
> From: Felix Geyer 
> 
> Local overrides is a feature Debian/Ubuntu libvirt provided for a while.
> This allows the user to have a non-conffile that he can use to extend the
> package delivered rules with extra content matching his special case.
> 
> This change adds the include directives to the apparmor profiles
> for virt-aa-helper and libvirtd.
> 

I'm fine with this change but it is important to understand that
/etc/apparmor.d/local/usr.sbin.libvirtd must exist otherwise the profile will
fail to load. In Debian/Ubuntu we use dh_apparmor which takes care of this for
us. If this is upstreamed, then wherever install of the profile happens or is
documented, then the local changes file needs to also be installed/documented.
Other non-deb distributions might not like this extra file, so it is possible
this may be a Debian and its derivatives thing

> Signed-off-by: Christian Ehrhardt 
> Signed-off-by: Stefan Bader 
> ---
>  examples/apparmor/usr.lib.libvirt.virt-aa-helper | 3 +++
>  examples/apparmor/usr.sbin.libvirtd  | 3 +++
>  2 files changed, 6 insertions(+)
> 
> diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> index 012080c..93ba74e 100644
> --- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> +++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> @@ -56,4 +56,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-
> helper {
>    /**.vmdk r,
>    /**.[iI][sS][oO] r,
>    /**/disk{,.*} r,
> +
> +  # Site-specific additions and overrides. See local/README for details.
> +  #include 
>  }
> diff --git a/examples/apparmor/usr.sbin.libvirtd
> b/examples/apparmor/usr.sbin.libvirtd
> index 353b039..c37d5ee 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -85,4 +85,7 @@
>  
> /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
>    }
> +
> +  # Site-specific additions and overrides. See local/README for details.
> +  #include 
>  }
-- 
Jamie Strandboge | http://www.canonical.com

signature.asc
Description: This is a digitally signed message part
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH 07/10] apparmor: include local apparmor profiles

2017-05-15 Thread Stefan Bader 
From: Felix Geyer 

Local overrides is a feature Debian/Ubuntu libvirt provided for a while.
This allows the user to have a non-conffile that he can use to extend the
package delivered rules with extra content matching his special case.

This change adds the include directives to the apparmor profiles
for virt-aa-helper and libvirtd.

Signed-off-by: Christian Ehrhardt 
Signed-off-by: Stefan Bader 
---
 examples/apparmor/usr.lib.libvirt.virt-aa-helper | 3 +++
 examples/apparmor/usr.sbin.libvirtd  | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper 
b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
index 012080c..93ba74e 100644
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -56,4 +56,7 @@ profile virt-aa-helper 
/usr/{lib,lib64}/libvirt/virt-aa-helper {
   /**.vmdk r,
   /**.[iI][sS][oO] r,
   /**/disk{,.*} r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include 
 }
diff --git a/examples/apparmor/usr.sbin.libvirtd 
b/examples/apparmor/usr.sbin.libvirtd
index 353b039..c37d5ee 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -85,4 +85,7 @@
 
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
   }
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include 
 }
-- 
2.7.4

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list