[Bug 545426] Re: SDL support broken when using apparmor

[Jamie Strandboge]

Ancoron, this isn't a 'quick hack'. The /mnt, /media and /srv read
permissions are for virt-aa-helper, not the virtual machines. virt-aa-
helper is used by the libvirtd daemon to dynamically update the profiles
for individual VM definitions, and uses the libvirt API extensively.
While virt-aa-helper itself has an AppArmor profile, it is mostly just
to make sure that it can't execute other programs or write to anywhere
other than /etc/apparmor.d/libvirt. The profile needs to allow reading
of ISOs and VM disk images (so it can check for backing store via the
libvirt API), and so (limited) read access to the standard storage pool
location, $HOME and removable media and filesystems is given. Not
including /srv, /mnt and /media was an oversight. If an administrator
saves files in other locations, he/she is expected to update the
AppArmor profile accordingly.

For more on how the AppArmor security driver for libvirt works, please
see /usr/share/doc/libvirt-bin/README.Debian.gz.

-- 
SDL support broken when using apparmor
https://bugs.launchpad.net/bugs/545426
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.