diff --git a/apparmor.d/groups/virt/cockpit-certificate-helper b/apparmor.d/groups/virt/cockpit-certificate-helper index ac9dd5f6f..303fd074c 100644 --- a/apparmor.d/groups/virt/cockpit-certificate-helper +++ b/apparmor.d/groups/virt/cockpit-certificate-helper @@ -21,6 +21,7 @@ profile cockpit-certificate-helper @{exec_path} { @{bin}/openssl rix, @{bin}/rm rix, @{bin}/sscg rix, + @{bin}/sync rix, @{bin}/tr rix, /etc/machine-id r, diff --git a/apparmor.d/groups/virt/cockpit-desktop b/apparmor.d/groups/virt/cockpit-desktop index c2a7455ce..bb1ba03bf 100644 --- a/apparmor.d/groups/virt/cockpit-desktop +++ b/apparmor.d/groups/virt/cockpit-desktop @@ -10,6 +10,8 @@ include profile cockpit-desktop @{exec_path} { include + userns, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/virt/cockpit-tls b/apparmor.d/groups/virt/cockpit-tls index 0037b132c..7bf43ed4a 100644 --- a/apparmor.d/groups/virt/cockpit-tls +++ b/apparmor.d/groups/virt/cockpit-tls @@ -17,6 +17,9 @@ profile cockpit-tls @{exec_path} flags=(attach_disconnected) { /etc/cockpit/ws-certs.d/{,**} r, + @{att}/@{run}/cockpit/wsinstance/https@@{hex64}.sock r, + @{att}/@{run}/cockpit/wsinstance/https-factory.sock rw, + owner @{run}/cockpit/tls/{,**} rw, include if exists diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws index 7b0779119..8e3478072 100644 --- a/apparmor.d/groups/virt/cockpit-ws +++ b/apparmor.d/groups/virt/cockpit-ws @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/cockpit/cockpit-ws -profile cockpit-ws @{exec_path} { +profile cockpit-ws @{exec_path} flags=(attach_disconnected) { include include include @@ -21,6 +21,8 @@ profile cockpit-ws @{exec_path} { /usr/share/pixmaps/{,**} r, /etc/cockpit/ws-certs.d/ r, + @{run}/cockpit/wsinstance/https@@{hex64}.sock r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r,