On 02/03/2017 06:32 PM, Jim Fehlig wrote: > If the apparmor security driver is loaded/enabled and domain config > contains a <seclabel> element whose type attribute is not 'apparmor', > starting the domain fails when attempting to label resources such > as tap FDs. > > Many of the apparmor driver entry points attempt to retrieve the > apparmor security label from the domain def, returning failure if > not found. Functions such as AppArmorSetFDLabel fail even though > domain config contains an explicit 'none' secuirty driver, e.g. > > <seclabel type='none' model='none'/> > > Change the entry points to succeed if the domain config <seclabel> > is not apparmor. This matches the behavior of the selinux driver. > > Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx> > --- > src/security/security_apparmor.c | 58 ++++++++++++---------------------------- > 1 file changed, 17 insertions(+), 41 deletions(-) ACK Michal -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
