# allow access to charm-specific ceph config and allow reads
# on the /tmp directories to silence spurious denials without
# breaking additional rules (LP: #1403648, LP: #1786159).
/var/lib/charm/*/ceph.conf r,
/{,var/}tmp/ r,
owner /{,var/}tmp/**/ r,
At this point, people are free to add:
owner /tmp/qemu-smb.*/{,**} rw,
The question then becomes, is the smb functionality in the domain xml in a way that virt-aa-helper can query it at all? Apparently, it is not so I feel it is unreasonable to put it in the default libvirt policy. People can modify /etc/apparmor.d/abstractions/libvirt-qemu for this site-specific addition.
I disagree that blanket access to /tmp should be allowed since it breaks application isolation (see https:/ /bugs.launchpad .net/ubuntu/ +source/ libvirt/ +bug/1403648/ comments/ 12). Perhaps a better compromise would be to change this:
# allow access to charm-specific ceph config and silence spurious lib/charm/ */ceph. conf r,
# denials (LP: #1403648).
/var/
deny /tmp/{,**} r,
deny /var/tmp/{,**} r,
to:
# allow access to charm-specific ceph config and allow reads lib/charm/ */ceph. conf r,
# on the /tmp directories to silence spurious denials without
# breaking additional rules (LP: #1403648, LP: #1786159).
/var/
/{,var/}tmp/ r,
owner /{,var/}tmp/**/ r,
At this point, people are free to add:
owner /tmp/qemu- smb.*/{ ,**} rw,
The question then becomes, is the smb functionality in the domain xml in a way that virt-aa-helper can query it at all? Apparently, it is not so I feel it is unreasonable to put it in the default libvirt policy. People can modify /etc/apparmor. d/abstractions/ libvirt- qemu for this site-specific addition.