Hi, On 04.01.2014 18:19, Guido Günther wrote: > Hi Felix, > On Fri, Jan 03, 2014 at 10:58:14PM +0100, Felix Geyer wrote: >> I've ported and tested the libvirt AppArmor support from the Ubuntu package. >> >> The only difference in the profiles is this addition to >> usr.lib.libvirt.virt-aa-helper: >> /etc/libnl-[0-9]/classid r, >> >> It can be enabled by setting this in /etc/libvirt/qemu.conf: >> security_driver = "apparmor" > > Can you please work on upsreaming this? I don't see why this should be > in the Debian package. Who is going to maintain this policies in the > future? > Cheers, > -- Guido
The upstream source already contains example profiles. It's generally not feasible to maintain AppArmor profiles upstream because of distro differences and changes. The profiles usr.sbin.libvirtd and usr.lib.libvirt.virt-aa-helper could be easily maintained in a separate apparmor profile package. intrigeri proposed a apparmor-profiles-extra package [1] that would be maintained by an AppArmor Debian team. I am committed to maintain the libvirt profiles. Having libvirt-qemu outside of libvirt is problematic because the AppArmor driver of libvirt uses it to generate profiles for the VMs. When it's missing starting VMs will fail (when the AppArmor driver is enabled). Cheers, Felix [1] https://lists.ubuntu.com/archives/apparmor/2014-January/004876.html -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
