From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Date: Thu, 7 Oct 2021 11:27:35 +0000 (+0200)
Subject: apparmor: ceph config file names
X-Git-Tag: v7.9.0-rc1~239
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e3c5a8ec735ac62817d6d4c42e89720cbbfeaf9c;p=thirdparty%2Flibvirt.git

apparmor: ceph config file names

If running multiple [1] clusters (uncommon) the ceph config file will be
derived from the cluster name. Therefore the rule to allow to read ceph
config files need to be opened up slightly to allow for that condition.

[1]: https://docs.ceph.com/en/mimic/rados/configuration/common/#running-multiple-clusters

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1588576

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 4156428163..8cd76d48ec 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -199,7 +199,7 @@
   /sys/class/ r,
 
   # for rbd
-  /etc/ceph/ceph.conf r,
+  /etc/ceph/*.conf r,
 
   # Various functions will need to enumerate /tmp (e.g. ceph), allow the base
   # dir and a few known functions like samba support.