Hi,
On Tue, Sep 19, 2017 at 10:36:03PM -0600, Jim Fehlig wrote:
> On 09/18/2017 01:24 PM, Guido Günther wrote:
> > instead of only unloading it. This makes sure old profiles don't pile up
> > in /etc/apparmor.d/libvirt and we get updates to modified templates on
> > VM restart.
>
> Makes sense.
Pushed. Thanks!
>
> > ---
> > src/security/security_apparmor.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
> > index 5afe0c5c85..1db94c632f 100644
> > --- a/src/security/security_apparmor.c
> > +++ b/src/security/security_apparmor.c
> > @@ -220,7 +220,7 @@ remove_profile(const char *profile)
> > {
> > int rc = -1;
> > const char * const argv[] = {
> > - VIRT_AA_HELPER, "-R", "-u", profile, NULL
> > + VIRT_AA_HELPER, "-D", "-u", profile, NULL
>
> I included this patch in my libvirt+apparmor testing and noticed that the
> profiles are not deleted when a VM start fails. But that's no fault of your
> change.
Hmmm...seems were lacking a call to .domainRestoreSecurityAllLabel in
this case. I'll put this on my TODO list.
Cheers,
-- Guido
>
> Reviewed-by: Jim Fehlig <jfehlig@xxxxxxxx>
>
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
