From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=protonmail.com Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=kaOkhjaC; dkim-atps=neutral Received: from mail-106102.protonmail.ch (mail-106102.protonmail.ch [79.135.106.102]) by passt.top (Postfix) with ESMTPS id A40A35A004E for ; Fri, 07 Feb 2025 07:49:49 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1738910988; x=1739170188; bh=fyKDG3WQZCN2MPjORmOWzWtFJMyGZoNdmz8lzRIACfE=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector:List-Unsubscribe:List-Unsubscribe-Post; b=kaOkhjaCPfWCIp4AzaU+iOuClZAT+CFrgMt1QP9kKKI2jOLCXQyuO2vjHLJg7jfLK EIkN6To18A6HUp6mo9hIFOodKDpMOQ1hV7GIxd+XZDkNTcg11/fDHQZ+5mTYPp/N6z FUmg28lS29l4f8fS9MqGItLJFa+wxeTVSN3rOFqyrZJ77RMQugw7slX41yeey2gWm6 1tzCQXKWpHbBCGL4EfWWlehcT1MMzU4V6Ju3Wwq50VwJ8h8+TI9FgDdSYJCzFL1cQ2 6ga3jVkwxKoscsKRnjlCKSbiw2KYb9X5YzsFnKMB3RHqnC3FBx+MEUbv/Lmi75Y2ue EtmsgTClPFsGw== Date: Fri, 07 Feb 2025 06:49:45 +0000 To: Stefano Brivio From: Prafulla Giri Subject: Re: Apparmor (and other) Issues Message-ID: In-Reply-To: <20250205111651.59551470@elisabeth> References: <20250204172242.76889328@elisabeth> <20250204201448.0bf3f7a3@elisabeth> <20250204233441.6cda8c64@elisabeth> <20250205111651.59551470@elisabeth> Feedback-ID: 33818994:user:proton X-Pm-Message-ID: 1fe08b19669c4df616ce160730aa2bfb5bea7b71 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: QT4RZWT52VYSOUQQSDQMGTVD4S3MBHRX X-Message-ID-Hash: QT4RZWT52VYSOUQQSDQMGTVD4S3MBHRX X-MailFrom: prafulla.giri@protonmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Andrea Bolognani , "passt-dev@passt.top" X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Wednesday, February 5th, 2025 at 4:01 PM, Stefano Brivio wrote: > But the libvirt profile is not associated to the > process, oops. Oh, so this is what is being worked upon: that Apparmor is not making the a= ssociation, whereas SELinux is doing it's thing as it's supposed to. > We're just trying to make things as > strict as possible, and depending on specific paths. I see. I'm glad this approach of as-strict-as-possible is being taken. > We'll probably need to make them a bit looser for the moment being and > perhaps just allow passt, no matter who starts it, to write to > /var/run/**. I believe user-mode virtual machines only need access to /run/user/$USER an= d not /var/run. Not even /run/*, but only /run/user/$USER. So if that work-= around is to be implemented, that would be the strictest version of it: eac= h user-started passt process gets access to $XDG_RUNTIME_DIR of it's owner = (and not outside of it). It also seems that more and more of us use $XDG_RUNTIME_DIR in lieu of /tmp= in our personal shell scripts, because it kinda' feels like a more private= /tmp. Also, the `passt` update fixing DNS issue hasn't yet made it to Debian Trix= ie, yet. I figure it's going to take some time (?) Perhaps I should venture= to Debian Sid, myself.