Re: [libvirt] [PATCH] Fix starting qemu instances when apparmor driver is enabled

On 03/02/2013 12:41 AM, Jim Fehlig wrote:
Guannan Ren wrote:

     Hi Jim

        In selinux, libvirt added a label for tapfd.
        Do you think this patch makes sense for apparmor?
Hi Gunannan,

Apologies for missing your initial post of that series.  I see that you
fixed this exact bug in 2/3 :(.

I think 3/3 does make sense for apparmor, but I'm not sure about using
AppArmorSetImageFDLabel() as a common function.  It returns if
secdef->imagelabel == NULL, which would be incorrect if labeling a tap
fd right?

I promise not to miss the patch if you respin it :).


Nothing to apologize, I really don't know much about apparmor. The tapfd I mean here is not used by libvirt deamon, it is a tapfd created on particular guest which is using macvtap driver
     to attach virtual NIC to a given physical interface.
From the code, the secdef->imagelabel have the same value as secdef->label which is libvirt-{uuid} file in /etc/apparmor.d/libvirt folder. If it is null, that means the guest will not
     be confined by apparmor, so is this tapfd, I think this is fine.
     If you think it is reasonable, I will rebase that patch and send a v2.


