Comment 17 for bug 1004606

Revision history for this message
Theodor van Nahl (tvn87) wrote :

In the /etc/apparmor.d/local/usr.sbin.libvirtd file I just created one rule to give libvirtd read'n'write access to the images in my storage pool with the following line:

            "/var/lib/libvirt/images/*.img" rw,

As preliminary: I have created my own naming convention for my overlays, these are used for incremental backups to another server. This convention can be found in my abstractation and has to be adjusted to your own needs.

First of all I've created my own abstraction as /etc/apparmor.d/local/abstraction-libvirt-storage. This file gives the clients access to the important images like that:

        "/var/lib/libvirt/images/*.base.img" rw,
        "/var/lib/libvirt/images/*.base.img" rw,
        "/var/lib/libvirt/images/*.stable_overlay.img" rw,
        "/var/lib/libvirt/images/*.running.img" rw,

The /etc/apparmor.d/libvirt/TEMPLATE file is a source for all rule files in /etc/apparmor.d/libvirt/. There you need to source the abstraction-libvirt-storage so the TEMPLATE looks similar to this one (adjust to your own needs):

profile LIBVIRT_TEMPLATE {
  #include <abstractions/libvirt-qemu>
  #include <local/abstractation-libvirt-storage>
}

It is also possible to put the information of the abstraction-libvirt-storage file directly into the TEMPLATE but a change on some of the rules would require to edit multiple files ( /etc/apparmor.d/libvirt/*)

I hope this will help. This adjustments should be fine for safety requirement, because the host should still be secured against guests and thats the only thing you can do with libvirt+apparmor.