I can verify that the following rule does allow libvirtd to execute
hooks:
/etc/libvirt/hooks/** rmix,
Notes:
1) I actually modified /etc/apparmor.d/bin/usr.sbin.libvirtd to contain:
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.libvirtd>
like other profiles, because I thought the profile should support local
additions [a separate issue, I know]. Then, I added the hooks rule
above in /etc/apparmor.d/bin/local/usr.sbin.libvirtd. But, really, the
hooks rule should be part of the base libvirtd profile.
2) I used the '**' because I use generic daemon and qemu hook scripts
that look for "sub-hooks" under /etc/libvirt/hooks/{daemon.d,qemu.d}
named <event>-<seq#>-<description> and invoke them in <seq#> order for
the current <event>. I did it this way so I could add and remove sub-
hooks at will, keeping different features in separate scripts and not
polluting the hooks directory namespace any more that I had to -- *.d.
Personally, I'd like to see any official update to the profile use the
'**' format, so I don't need to patch that locally.
What's the possibility of back porting the fix to currently supported
releases?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/891472
Title:
apparmor profile for libvirt does not allow hooks to be executed
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/891472/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
