Re: [PATCH] virt-aa-helper: use 'include if exists' on .files

On Mon, 2024-06-10 at 15:03 +0200, Michal Prívozník wrote: > On 6/4/24 19:34, Georgia Garcia wrote: >> Change the 'include' in the AppArmor policy to use 'include if exists' >> when including <uuid>.files. Note that 'if exists' is only available >> after AppArmor 3.0, therefore a #ifdef check must be added. >> >> When the <uuid>.files is not present, there are some failures in the >> AppArmor tools like the following, since they expect the file to exist >> when using 'include': >> >> ERROR: Include file /etc/apparmor.d/libvirt/libvirt-8534a409-a460-4fab-a2dd-0e1dce4ff273.files not found > > When can this ever happen? I thought libvirt creates this file for each > domain running. The file does not exist when the domain is not running, so if you're running an apparmor tool like aa-genprof, they scan all profiles under /etc/apparmor.d/ and they expect a valid state for the policies - which these don't have because they include a file that does not exist unless the domain is running.