Adding the PKI path that is used as default suggestion in src/qemu/qemu.conf
If people use non-default paths they should use local overrides but the
suggested defaults we should open up.
This is the default path as referenced by src/qemu/qemu.conf in libvirt.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1690140
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
examples/apparmor/libvirt-qemu | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index bb30530..5d811f9 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -170,6 +170,10 @@
/etc/pki/libvirt/ r,
/etc/pki/libvirt/** r,
+ # for use by libvirt-spice (LP: #1690140)
+ /etc/pki/libvirt-spice/ r,
+ /etc/pki/libvirt-spice/** r,
+
# for save and resume
/{usr/,}bin/dash rmix,
/{usr/,}bin/dd rmix,
--
2.7.4
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: > Adding the PKI path that is used as default suggestion in > src/qemu/qemu.conf > If people use non-default paths they should use local overrides but > the > suggested defaults we should open up. > > This is the default path as referenced by src/qemu/qemu.conf in > libvirt. > > Bug-Ubuntu: https://bugs.launchpad.net/bugs/1690140 > > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> > --- > examples/apparmor/libvirt-qemu | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/examples/apparmor/libvirt-qemu > b/examples/apparmor/libvirt-qemu > index bb30530..5d811f9 100644 > --- a/examples/apparmor/libvirt-qemu > +++ b/examples/apparmor/libvirt-qemu > @@ -170,6 +170,10 @@ > /etc/pki/libvirt/ r, > /etc/pki/libvirt/** r, > > + # for use by libvirt-spice (LP: #1690140) > + /etc/pki/libvirt-spice/ r, > + /etc/pki/libvirt-spice/** r, > + +1 to apply -- Jamie Strandboge | http://www.canonical.com-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Jamie Strandboge: >> + # for use by libvirt-spice (LP: #1690140) >> + /etc/pki/libvirt-spice/ r, >> + /etc/pki/libvirt-spice/** r, > +1 to apply +1 as well, although I'd prefer some minor refactoring to merge this with the 2 already existing libvirt-vnc PKI sections (that were added in two different places in the file 7 years apart, but apparently are about the exact same use case). Something like this should allow replacing these two existing sections and the third one you're proposing we add: # for use by libvirt-vnc and libvirt-spice (LP: #901272, #1690140) /etc/pki/CA/ r, /etc/pki/CA/* r, /etc/pki/libvirt{,-spice,-vnc}/ r, /etc/pki/libvirt{,-spice,-vnc}/** r, What do you think? Cheers, -- intrigeri -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On Wed, Dec 20, 2017 at 10:45 AM, intrigeri <intrigeri+libvirt@boum.org> wrote: > Jamie Strandboge: >>> + # for use by libvirt-spice (LP: #1690140) >>> + /etc/pki/libvirt-spice/ r, >>> + /etc/pki/libvirt-spice/** r, > >> +1 to apply > > +1 as well, although I'd prefer some minor refactoring to merge this > with the 2 already existing libvirt-vnc PKI sections (that were added > in two different places in the file 7 years apart, but apparently are > about the exact same use case). > > Something like this should allow replacing these two existing sections > and the third one you're proposing we add: > > # for use by libvirt-vnc and libvirt-spice (LP: #901272, #1690140) > /etc/pki/CA/ r, > /etc/pki/CA/* r, > /etc/pki/libvirt{,-spice,-vnc}/ r, > /etc/pki/libvirt{,-spice,-vnc}/** r, > > What do you think? Yes I like to take the opportunity to make this more readable in one place while adding -spice. Thanks for the suggestion! Submitting as a v2 in reply ... -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Adding the PKI path that is used as default suggestion in src/qemu/qemu.conf
If people use non-default paths they should use local overrides but the
suggested defaults we should open up.
This is the default path as referenced by src/qemu/qemu.conf in libvirt.
While doing so merge the several places we have to cover PKI access into
one.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1690140
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
examples/apparmor/libvirt-qemu | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index fa2b753..f206f6c 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -88,8 +88,11 @@
/usr/share/qemu-efi/** r,
/usr/share/slof/** r,
- # access PKI infrastructure
- /etc/pki/libvirt-vnc/** r,
+ # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140)
+ /etc/pki/CA/ r,
+ /etc/pki/CA/* r,
+ /etc/pki/libvirt{,-spice,-vnc}/ r,
+ /etc/pki/libvirt{,-spice,-vnc}/** r,
# the various binaries
/usr/bin/kvm rmix,
@@ -156,12 +159,6 @@
/usr/{lib,lib64}/qemu/*.so mr,
/usr/lib/@{multiarch}/qemu/*.so mr,
- # for use by libvirt-vnc (LP: #901272)
- /etc/pki/CA/ r,
- /etc/pki/CA/* r,
- /etc/pki/libvirt/ r,
- /etc/pki/libvirt/** r,
-
# for save and resume
/{usr/,}bin/dash rmix,
/{usr/,}bin/dd rmix,
--
2.7.4
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Christian Ehrhardt: > Adding the PKI path that is used as default suggestion in src/qemu/qemu.conf > If people use non-default paths they should use local overrides but the > suggested defaults we should open up. > This is the default path as referenced by src/qemu/qemu.conf in libvirt. > While doing so merge the several places we have to cover PKI access into > one. > Bug-Ubuntu: https://bugs.launchpad.net/bugs/1690140 > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Looks good, thanks for the refactoring ⇒ +1 for applying. -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On Wed, 2017-12-20 at 12:41 +0100, Christian Ehrhardt wrote: > Adding the PKI path that is used as default suggestion in > src/qemu/qemu.conf > If people use non-default paths they should use local overrides but > the > suggested defaults we should open up. > > This is the default path as referenced by src/qemu/qemu.conf in > libvirt. > > While doing so merge the several places we have to cover PKI access > into > one. > > Bug-Ubuntu: https://bugs.launchpad.net/bugs/1690140 > > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> > --- > examples/apparmor/libvirt-qemu | 13 +++++-------- > 1 file changed, 5 insertions(+), 8 deletions(-) > > diff --git a/examples/apparmor/libvirt-qemu > b/examples/apparmor/libvirt-qemu > index fa2b753..f206f6c 100644 > --- a/examples/apparmor/libvirt-qemu > +++ b/examples/apparmor/libvirt-qemu > @@ -88,8 +88,11 @@ > /usr/share/qemu-efi/** r, > /usr/share/slof/** r, > > - # access PKI infrastructure > - /etc/pki/libvirt-vnc/** r, > + # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140) > + /etc/pki/CA/ r, > + /etc/pki/CA/* r, > + /etc/pki/libvirt{,-spice,-vnc}/ r, > + /etc/pki/libvirt{,-spice,-vnc}/** r, > > # the various binaries > /usr/bin/kvm rmix, > @@ -156,12 +159,6 @@ > /usr/{lib,lib64}/qemu/*.so mr, > /usr/lib/@{multiarch}/qemu/*.so mr, > > - # for use by libvirt-vnc (LP: #901272) > - /etc/pki/CA/ r, > - /etc/pki/CA/* r, > - /etc/pki/libvirt/ r, > - /etc/pki/libvirt/** r, > - > # for save and resume > /{usr/,}bin/dash rmix, > /{usr/,}bin/dd rmix, +1 to apply. Thanks for the patch and intrigeri for the feedback. -- Jamie Strandboge | http://www.canonical.com-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
© 2016 - 2025 Red Hat, Inc.