1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
diff --git a/examples/Makefile.am b/examples/Makefile.am
index ef2f79db3..d8cdb9b3f 100644
--- a/examples/Makefile.am
+++ b/examples/Makefile.am
@@ -23,7 +23,7 @@ EXTRA_DIST = \
apparmor/TEMPLATE.lxc \
apparmor/libvirt-qemu \
apparmor/libvirt-lxc \
- apparmor/usr.lib.libvirt.virt-aa-helper \
+ apparmor/usr.libexec.virt-aa-helper \
apparmor/usr.sbin.libvirtd \
lxcconvert/virt-lxc-convert \
polkit/libvirt-acl.rules \
@@ -70,7 +70,7 @@ admin_logging_SOURCES = admin/logging.c
if WITH_APPARMOR_PROFILES
apparmordir = $(sysconfdir)/apparmor.d/
apparmor_DATA = \
- apparmor/usr.lib.libvirt.virt-aa-helper \
+ apparmor/usr.libexec.virt-aa-helper \
apparmor/usr.sbin.libvirtd \
$(NULL)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index d4fad85a1..0b22009e5 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -86,6 +86,8 @@
/usr/share/AAVMF/** r,
/usr/share/qemu-efi/** r,
/usr/share/slof/** r,
+ /usr/share/seavgabios/** r,
+ /usr/share/edk2-ovmf/** r,
# access PKI infrastructure
/etc/pki/libvirt-vnc/** r,
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.libexec.virt-aa-helper
similarity index 92%
rename from examples/apparmor/usr.lib.libvirt.virt-aa-helper
rename to examples/apparmor/usr.libexec.virt-aa-helper
index bd6181d00..4086f140a 100644
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.libexec.virt-aa-helper
@@ -1,7 +1,7 @@
# Last Modified: Mon Apr 5 15:10:27 2010
#include <tunables/global>
-profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
+profile virt-aa-helper /usr/libexec/virt-aa-helper {
#include <abstractions/base>
# needed for searching directories
@@ -32,7 +32,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
deny /dev/mapper/ r,
deny /dev/mapper/* r,
- /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
+ /usr/libexec/virt-aa-helper mr,
/{usr/,}sbin/apparmor_parser Ux,
/etc/apparmor.d/libvirt/* r,
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index 8d61d154e..656a5595b 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -84,8 +84,10 @@
audit deny /sys/kernel/security/apparmor/.* rwxl,
/sys/kernel/security/apparmor/profiles r,
/usr/{lib,lib64}/libvirt/* PUxr,
- /usr/{lib,lib64}/libvirt/libvirt_parthelper ix,
- /usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
+ /usr/libexec/virt-aa-helper PUxr,
+ /usr/libexec/libvirt_lxc PUxr,
+ /usr/libexec/libvirt_parthelper ix,
+ /usr/libexec/libvirt_iohelper ix,
/etc/libvirt/hooks/** rmix,
/etc/xen/scripts/** rmix,
|
GitWeb