[libvirt] [PATCH] Fix starting qemu instances when apparmor driver is enabled
Guannan Ren
gren at redhat.com
Mon Mar 4 09:14:48 UTC 2013
On 03/02/2013 12:41 AM, Jim Fehlig wrote:
> Guannan Ren wrote:
>
>> Hi Jim
>>
>> In selinux, libvirt added a label for tapfd.
>> Do you think this patch makes sense for apparmor?
>> https://www.redhat.com/archives/libvir-list/2012-October/msg01461.html
> Hi Gunannan,
>
> Apologies for missing your initial post of that series. I see that you
> fixed this exact bug in 2/3 :(.
>
> I think 3/3 does make sense for apparmor, but I'm not sure about using
> AppArmorSetImageFDLabel() as a common function. It returns if
> secdef->imagelabel == NULL, which would be incorrect if labeling a tap
> fd right?
>
> I promise not to miss the patch if you respin it :).
>
> Regards,
> Jim
>
Nothing to apologize, I really don't know much about apparmor. The
tapfd I mean here
is not used by libvirt deamon, it is a tapfd created on particular
guest which is using macvtap driver
to attach virtual NIC to a given physical interface.
From the code, the secdef->imagelabel have the same value as
secdef->label
which is libvirt-{uuid} file in /etc/apparmor.d/libvirt folder.
If it is null, that means the guest will not
be confined by apparmor, so is this tapfd, I think this is fine.
If you think it is reasonable, I will rebase that patch and send a v2.
Guannan
More information about the libvir-list
mailing list