Re: [libvirt] [PATCH] Fix starting qemu instances when apparmor driver is enabled

On 03/02/2013 12:41 AM, Jim Fehlig wrote: > Guannan Ren wrote: > >> Hi Jim >> >> In selinux, libvirt added a label for tapfd. >> Do you think this patch makes sense for apparmor? >> https://www.redhat.com/archives/libvir-list/2012-October/msg01461.html > Hi Gunannan, > > Apologies for missing your initial post of that series. I see that you > fixed this exact bug in 2/3 :(. > > I think 3/3 does make sense for apparmor, but I'm not sure about using > AppArmorSetImageFDLabel() as a common function. It returns if > secdef->imagelabel == NULL, which would be incorrect if labeling a tap > fd right? > > I promise not to miss the patch if you respin it :). > > Regards, > Jim > Nothing to apologize, I really don't know much about apparmor. The tapfd I mean here is not used by libvirt deamon, it is a tapfd created on particular guest which is using macvtap driver to attach virtual NIC to a given physical interface. From the code, the secdef->imagelabel have the same value as secdef->label which is libvirt-{uuid} file in /etc/apparmor.d/libvirt folder. If it is null, that means the guest will not be confined by apparmor, so is this tapfd, I think this is fine.

If you think it is reasonable, I will rebase that patch and send a v2.