On Tue, 28 Feb 2023 10:06:18 -0800
Andrea Bolognani <abologna(a)redhat.com> wrote:
On Tue, Feb 28, 2023 at 09:49:26AM -0500, Laine Stump wrote:
> + * QEMU: properly report passt startup errors
> +
> + Due to how the child passt process was started, the initial
> + support for passt (added in 9.0.0) would not see errors
> + encountered during startup, so libvirt would continue to setup and
> + start the guest; this led to a running guest with no network
> + connectivity. This issue has be corrected.
> +
> + (NB: it is still necessary to disable SELinux to start passt.)
This is also true for AppArmor, so I would mention both.
Not in general -- thankfully, no pseudorandom label is forced by
libvirt 9.1.0 with AppArmor (because there are no labels), and libvirtd
simply runs passt unconfined (scrubbing the environment):
$ grep "/usr/bin" src/security/apparmor/usr.sbin.libvirtd.in
/usr/bin/* PUx,
Then yes, with any recent version of Debian and openSUSE packages of
passt, passt won't be able to create the socket or its PID file in the
path libvirt asks for, because of the profile shipping with passt
itself.
Still, that's not as bad as the deliberate breakage you have with
SELinux, and 'apparmor_parser -R /etc/apparmor.d/usr.bin.passt' will
do (checked on both Debian and openSUSE) -- no need for 'aa-teardown'.
Note that I'm *not* recommending to do this, just like I'm not
recommending to disable SELinux, and I don't think it's a good idea to
suggest in release notes that users do this, either.
--
Stefano