[Bug 1331081] [NEW] please split libvirt-driver apparmor abstraction for qemu and containers
Jamie Strandboge
jamie at ubuntu.com
Tue Jun 17 16:46:24 UTC 2014
Public bug reported:
1.2.5 introduces apparmor support for libvirt-lxc, which is great, however the method used renames the old /etc/apparmor.d/abstractions/libvirt-qemu to libvirt-driver. This is problematic for a couple of reasons:
1. abstractions/libvirt-qemu contains policy specific to qemu VMs (ie, why would a container need '/usr/bin/qemu-system-x86_64 rmix,'?
2. presumably likewise, container policy will be needed that shouldn't be given to qemu VMs
Instead of using 'abstractions/libvirt-driver', we can instead either:
* ship both 'abstractions/libvirt-qemu' and 'abstractions/libvirt-lxc', adjust the TEMPLATE to include neither, and adjust the apparmor driver to inject the proper abstraction based on the driver in use
* ship both 'abstractions/libvirt-qemu' and 'abstractions/libvirt-lxc', ship two different templates (eg, TEMPLATE.qemu and TEMPLATE.libvirt-lxc), and adjust the apparmor driver to choose the proper template based on the driver in use
** Affects: libvirt (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in Ubuntu.
https://bugs.launchpad.net/bugs/1331081
Title:
please split libvirt-driver apparmor abstraction for qemu and
containers
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1331081/+subscriptions
More information about the Ubuntu-server-bugs
mailing list