[libvirt] [PATCH] Fix starting qemu instances when apparmor driver is enabled
Jim Fehlig
jfehlig at suse.com
Wed Mar 6 23:23:42 UTC 2013
Guannan Ren wrote:
> On 03/02/2013 12:41 AM, Jim Fehlig wrote:
>> Guannan Ren wrote:
>>
>>> Hi Jim
>>>
>>> In selinux, libvirt added a label for tapfd.
>>> Do you think this patch makes sense for apparmor?
>>> https://www.redhat.com/archives/libvir-list/2012-October/msg01461.html
>> Hi Gunannan,
>>
>> Apologies for missing your initial post of that series. I see that you
>> fixed this exact bug in 2/3 :(.
>>
>> I think 3/3 does make sense for apparmor, but I'm not sure about using
>> AppArmorSetImageFDLabel() as a common function. It returns if
>> secdef->imagelabel == NULL, which would be incorrect if labeling a tap
>> fd right?
>>
>> I promise not to miss the patch if you respin it :).
>>
>> Regards,
>> Jim
>>
>
> Nothing to apologize, I really don't know much about apparmor.
> The tapfd I mean here
> is not used by libvirt deamon, it is a tapfd created on
> particular guest which is using macvtap driver
> to attach virtual NIC to a given physical interface.
> From the code, the secdef->imagelabel have the same value as
> secdef->label
> which is libvirt-{uuid} file in /etc/apparmor.d/libvirt folder.
> If it is null, that means the guest will not
> be confined by apparmor, so is this tapfd, I think this is fine.
Yes, agreed.
>
> If you think it is reasonable, I will rebase that patch and send
> a v2.
Yep, I think it is reasonable and necessary. I finally got around to
testing your patch and it is indeed needed when using macvtap with
apparmor-confined guests.
Thanks for looking into this!
Regards,
Jim
More information about the libvir-list
mailing list