From: Jim Fehlig <jfehlig@suse.com>
Date: Wed, 16 Jun 2021 21:25:33 +0000 (-0600)
Subject: Apparmor: Allow reading /etc/ssl/openssl.cnf
X-Git-Tag: v7.5.0-rc1~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=64ae7635e642bed571c45feb2b388719c7bf0b2a;p=thirdparty%2Flibvirt.git

Apparmor: Allow reading /etc/ssl/openssl.cnf

I noticed the following denial when running confined VMs with the QEMU
driver

type=AVC msg=audit(1623865089.263:865): apparmor="DENIED" operation="open" \
profile="virt-aa-helper" name="/etc/ssl/openssl.cnf" pid=12503 \
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Allow reading the file by including the openssl abstraction in the
virt-aa-helper profile.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---

diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
index 8ebb47596a..ff1d46bebe 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -2,6 +2,7 @@
 
 profile virt-aa-helper @libexecdir@/virt-aa-helper {
   #include <abstractions/base>
+  #include <abstractions/openssl>
 
   # needed for searching directories
   capability dac_override,