On Fri, 01 Mar 2019, Jim Fehlig wrote: > Commit a3ab6d42 changed the libvirtd profile to a named profile, > breaking the apparmor driver's ability to detect if the profile is > active. When the apparmor driver loads it checks the status of the > libvirtd profile using the full binary path, which fails since the > profile is now referenced by name. If the apparmor driver is > explicitly requested in /etc/libvirt/qemu.conf, then libvirtd fails > to load too. > > Instead of only checking the profile status by full binary path, > also check by profile name. The full path check is retained in case > users have a customized libvirtd profile with full path. > > Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx> > --- > src/security/security_apparmor.c | 12 +++++++++--- > 1 file changed, 9 insertions(+), 3 deletions(-) > > diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c > index 4afdef065a..6d16b15c65 100644 > --- a/src/security/security_apparmor.c > +++ b/src/security/security_apparmor.c > @@ -257,10 +257,16 @@ use_apparmor(void) > if (access(APPARMOR_PROFILES_PATH, R_OK) != 0) > goto cleanup; > > + /* First check profile status using full binary path. If that fails > + * check using profile name. > + */ > rc = profile_status(libvirt_daemon, 1); > - /* Error or unconfined should all result in -1*/ > - if (rc < 0) > - rc = -1; > + if (rc < 0) { > + rc = profile_status("libvirtd", 1); > + /* Error or unconfined should all result in -1*/ > + if (rc < 0) > + rc = -1; > + } LGTM. +1 to apply. Thanks! -- Jamie Strandboge | http://www.canonical.com
Attachment:
signature.asc
Description: PGP signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list