On 03/02/2013 12:41 AM, Jim Fehlig wrote:
Guannan Ren wrote:
Hi Jim
In selinux, libvirt added a label for tapfd.
Do you think this patch makes sense for apparmor?
https://www.redhat.com/archives/libvir-list/2012-October/msg01461.html
Hi Gunannan,
Apologies for missing your initial post of that series. I see that you
fixed this exact bug in 2/3 :(.
I think 3/3 does make sense for apparmor, but I'm not sure about using
AppArmorSetImageFDLabel() as a common function. It returns if
secdef->imagelabel == NULL, which would be incorrect if labeling a tap
fd right?
I promise not to miss the patch if you respin it :).
Regards,
Jim
Nothing to apologize, I really don't know much about apparmor. The
tapfd I mean here
is not used by libvirt deamon, it is a tapfd created on particular
guest which is using macvtap driver
to attach virtual NIC to a given physical interface.
From the code, the secdef->imagelabel have the same value as
secdef->label
which is libvirt-{uuid} file in /etc/apparmor.d/libvirt folder.
If it is null, that means the guest will not
be confined by apparmor, so is this tapfd, I think this is fine.
If you think it is reasonable, I will rebase that patch and send a v2.
Guannan
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list