On Wed, Nov 27, 2024 at 10:39:18PM +0100, Hilko Bengen wrote: > * Stefano Brivio: > > > Control: reassign 1086844 guestfs-tools > > > > So, I went ahead and submitted a proposal for a very loose initial > > AppArmor profile for guestfs-tools: > > > > https://salsa.debian.org/libvirt-team/guestfs-tools/-/merge_requests/1 > > > > I checked functionality of several tools, with and without passt, as > > root and as regular user, etc. Outside of the passt subprofile, rules > > should be loose enough as to be quite unlikely to introduce any issue. > > Stefano, I have added your patch to the package and uploaded a new > version. Thanks. > > Rich, do you think the AppArmor policy should be part of the upstream > source distribution?
I don't really have an opinion on it. For SELinux policies, they have traditionally been shipped monolithically downstream. But in a relatively recent change some are now shipped upstream, eg the one for passt is here: https://passt.top/passt/tree/contrib/selinux I think my only concern is how portable AppArmor policies are between distros that use them. (I think for SELinux, they're not very portable between eg. Fedora & SUSE). Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v
