I disagree that blanket access to /tmp should be allowed since it breaks
application isolation (see
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/comments/12).
Perhaps a better compromise would be to change this:
# allow access to charm-specific ceph config and silence spurious
# denials (LP: #1403648).
/var/lib/charm/*/ceph.conf r,
deny /tmp/{,**} r,
deny /var/tmp/{,**} r,
to:
# allow access to charm-specific ceph config and allow reads
# on the /tmp directories to silence spurious denials without
# breaking additional rules (LP: #1403648, LP: #1786159).
/var/lib/charm/*/ceph.conf r,
/{,var/}tmp/ r,
owner /{,var/}tmp/**/ r,
At this point, people are free to add:
owner /tmp/qemu-smb.*/{,**} rw,
The question then becomes, is the smb functionality in the domain xml in
a way that virt-aa-helper can query it at all? Apparently, it is not so
I feel it is unreasonable to put it in the default libvirt policy.
People can modify /etc/apparmor.d/abstractions/libvirt-qemu for this
site-specific addition.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1786159
Title:
qemu smb feature blocked by apparmor
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1786159/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
