apparmor: ceph config file names

If running multiple [1] clusters (uncommon) the ceph config file will be
derived from the cluster name. Therefore the rule to allow to read ceph
config files need to be opened up slightly to allow for that condition.

[1]: https://docs.ceph.com/en/mimic/rados/configuration/common/#running-multiple-clusters

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1588576
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 4156428163621bc92dff1cb455336518b637e142..8cd76d48ec6ea6bab74ab987a8799241945faf70 100644 (file)
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -199,7 +199,7 @@
   /sys/class/ r,
 
   # for rbd
-  /etc/ceph/ceph.conf r,
+  /etc/ceph/*.conf r,
 
   # Various functions will need to enumerate /tmp (e.g. ceph), allow the base
   # dir and a few known functions like samba support.