Guannan Ren wrote: > On 03/01/2013 08:37 AM, Jim Fehlig wrote: >> Eric Blake wrote: >>> On 02/27/2013 04:51 PM, Jim Fehlig wrote: >>> >>>> With the apparmor security driver enabled, qemu instances fail >>>> to start >>>> >>>> # grep ^security_driver /etc/libvirt/qemu.conf >>>> security_driver = "apparmor" >>>> # virsh start test-kvm >>>> error: Failed to start domain test-kvm >>>> error: internal error security label already defined for VM >>>> >>>> The model field of virSecurityLabelDef object is always populated >>>> by virDomainDefGetSecurityLabelDef(), so remove the check for a >>>> NULL model when verifying if a label is already defined for the >>>> instance. >>>> >>>> Checking for a NULL model and populating it later in >>>> AppArmorGenSecurityLabel() has been left in the code to be >>>> consistent with virSecuritySELinuxGenSecurityLabel(). >>>> --- >>>> src/security/security_apparmor.c | 6 ++---- >>>> 1 file changed, 2 insertions(+), 4 deletions(-) >>>> >>> ACK; and safe for 1.0.3. >>> >> Thanks, pushed now. >> >> -- >> libvir-list mailing list >> libvir-list@xxxxxxxxxx >> https://www.redhat.com/mailman/listinfo/libvir-list > > Hi Jim > > In selinux, libvirt added a label for tapfd. > Do you think this patch makes sense for apparmor? > https://www.redhat.com/archives/libvir-list/2012-October/msg01461.html Hi Gunannan, Apologies for missing your initial post of that series. I see that you fixed this exact bug in 2/3 :(. I think 3/3 does make sense for apparmor, but I'm not sure about using AppArmorSetImageFDLabel() as a common function. It returns if secdef->imagelabel == NULL, which would be incorrect if labeling a tap fd right? I promise not to miss the patch if you respin it :). Regards, Jim -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list