[libvirt] [PATCH] Fix starting qemu instances when apparmor driver is enabled
Jim Fehlig
jfehlig at suse.com
Fri Mar 1 16:41:38 UTC 2013
Guannan Ren wrote:
> On 03/01/2013 08:37 AM, Jim Fehlig wrote:
>> Eric Blake wrote:
>>> On 02/27/2013 04:51 PM, Jim Fehlig wrote:
>>>
>>>> With the apparmor security driver enabled, qemu instances fail
>>>> to start
>>>>
>>>> # grep ^security_driver /etc/libvirt/qemu.conf
>>>> security_driver = "apparmor"
>>>> # virsh start test-kvm
>>>> error: Failed to start domain test-kvm
>>>> error: internal error security label already defined for VM
>>>>
>>>> The model field of virSecurityLabelDef object is always populated
>>>> by virDomainDefGetSecurityLabelDef(), so remove the check for a
>>>> NULL model when verifying if a label is already defined for the
>>>> instance.
>>>>
>>>> Checking for a NULL model and populating it later in
>>>> AppArmorGenSecurityLabel() has been left in the code to be
>>>> consistent with virSecuritySELinuxGenSecurityLabel().
>>>> ---
>>>> src/security/security_apparmor.c | 6 ++----
>>>> 1 file changed, 2 insertions(+), 4 deletions(-)
>>>>
>>> ACK; and safe for 1.0.3.
>>>
>> Thanks, pushed now.
>>
>> --
>> libvir-list mailing list
>> libvir-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/libvir-list
>
> Hi Jim
>
> In selinux, libvirt added a label for tapfd.
> Do you think this patch makes sense for apparmor?
> https://www.redhat.com/archives/libvir-list/2012-October/msg01461.html
Hi Gunannan,
Apologies for missing your initial post of that series. I see that you
fixed this exact bug in 2/3 :(.
I think 3/3 does make sense for apparmor, but I'm not sure about using
AppArmorSetImageFDLabel() as a common function. It returns if
secdef->imagelabel == NULL, which would be incorrect if labeling a tap
fd right?
I promise not to miss the patch if you respin it :).
Regards,
Jim
More information about the libvir-list
mailing list