using .iso files from ~Downloads should work
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
FYI: This is a fork of bug 1784001
Here we want to focus on a rather common expectation and use-case.
Which is downloading an IOS => defaults to ~/Downloads/foo.iso
And then using that to create a guest in virt-manager.
We have documented that the use for uncommon paths is insecure and needs explicit admin allowance via apparmor local include files, see "Apparmor isolation" => https:/
But the common paths to be expected are:
56 @{HOME}/ r,
57 @{HOME}/** r,
58 /var/lib/
59 /var/lib/
The latter for typical system usage and working fine (reported as workaround to get it going in the bug this was forked from).
But while one could argue allowing @HOME is a security issue in the first place it was added ages ago for user comfort and for now is as it is.
Due to that virt-aa-helper should be able to read images (and ISO should be just images in that regard) in the home directories and add permissions to access them to the dynamic per-guest profile based on what virt-manager creates.
But we've got reports of permission denied (see https:/
Next steps:
1. reproduce the situation
2. analyze the created dynamic per-guest apparmor profile (is the .iso there and if so which rule exactly)
3. analyze the permission denied issue, is it apparmor at all, is it file ownership, ... ?
tags: | added: server-todo |
Status changed to 'Confirmed' because the bug affects multiple users.