Michal Privoznik wrote: > On 02/03/2017 06:32 PM, Jim Fehlig wrote: >> If the apparmor security driver is loaded/enabled and domain config >> contains a <seclabel> element whose type attribute is not 'apparmor', >> starting the domain fails when attempting to label resources such >> as tap FDs. >> >> Many of the apparmor driver entry points attempt to retrieve the >> apparmor security label from the domain def, returning failure if >> not found. Functions such as AppArmorSetFDLabel fail even though >> domain config contains an explicit 'none' secuirty driver, e.g. >> >> <seclabel type='none' model='none'/> >> >> Change the entry points to succeed if the domain config <seclabel> >> is not apparmor. This matches the behavior of the selinux driver. >> >> Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx> >> --- >> src/security/security_apparmor.c | 58 ++++++++++++---------------------------- >> 1 file changed, 17 insertions(+), 41 deletions(-) > > ACK Thanks. Forgot to mention it, but I pushed these patches yesterday after receiving your ACK. Regards, Jim -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
