Commit a3ab6d42 changed the libvirtd profile to a named profile,
breaking the apparmor driver's ability to detect if the profile is
active. When the apparmor driver loads it checks the status of the
libvirtd profile using the full binary path, which fails since the
profile is now referenced by name. If the apparmor driver is
explicitly requested in /etc/libvirt/qemu.conf, then libvirtd fails
to load too.
Instead of only checking the profile status by full binary path,
also check by profile name. The full path check is retained in case
users have a customized libvirtd profile with full path.
Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx>
---
src/security/security_apparmor.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 4afdef065a..6d16b15c65 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -257,10 +257,16 @@ use_apparmor(void)
if (access(APPARMOR_PROFILES_PATH, R_OK) != 0)
goto cleanup;
+ /* First check profile status using full binary path. If that fails
+ * check using profile name.
+ */
rc = profile_status(libvirt_daemon, 1);
- /* Error or unconfined should all result in -1*/
- if (rc < 0)
- rc = -1;
+ if (rc < 0) {
+ rc = profile_status("libvirtd", 1);
+ /* Error or unconfined should all result in -1*/
+ if (rc < 0)
+ rc = -1;
+ }
cleanup:
VIR_FREE(libvirt_daemon);
--
2.20.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
