On 2018-03-18 11:00, intrigeri wrote:
Thanks for the bug report + debugging + solution!
I'm reassigning to the package that ships the faulty profile.
Let's submit this to libvirt upstream
(https://www.redhat.com/mailman/listinfo/libvir-list). Do you want to
do it yourself or shall I?
It might be best if you could do that, since you're probably much more
familiar with the interaction between AppArmor and libvirt (and the
bug-reporting process) than I am.
Now, one question before we move this upstream: does virt-aa-helper
really need write access to /var/lib/nova/instances/**?
Knowing a little bit what this helper does, I can't imagine why it
would; and in your logs I see only denied_mask="r".
You're right. I did some testing and found that only one rule needed
(for QCOW backing files):
/var/lib/nova/instances/_base/* r
It seems the instance disk images are covered by the existing rule:
/**/disk{,.*} r
Probably it would be more appropriate to put that in a separate
profile?
I think it's fine to add these lines to usr.lib.libvirt.virt-aa-helper.
OK. I wasn't sure, since these rules are specific to Nova.
