Guannan Ren wrote: > On 03/02/2013 12:41 AM, Jim Fehlig wrote: >> Guannan Ren wrote: >> >>> Hi Jim >>> >>> In selinux, libvirt added a label for tapfd. >>> Do you think this patch makes sense for apparmor? >>> https://www.redhat.com/archives/libvir-list/2012-October/msg01461.html >> Hi Gunannan, >> >> Apologies for missing your initial post of that series. I see that you >> fixed this exact bug in 2/3 :(. >> >> I think 3/3 does make sense for apparmor, but I'm not sure about using >> AppArmorSetImageFDLabel() as a common function. It returns if >> secdef->imagelabel == NULL, which would be incorrect if labeling a tap >> fd right? >> >> I promise not to miss the patch if you respin it :). >> >> Regards, >> Jim >> > > Nothing to apologize, I really don't know much about apparmor. > The tapfd I mean here > is not used by libvirt deamon, it is a tapfd created on > particular guest which is using macvtap driver > to attach virtual NIC to a given physical interface. > From the code, the secdef->imagelabel have the same value as > secdef->label > which is libvirt-{uuid} file in /etc/apparmor.d/libvirt folder. > If it is null, that means the guest will not > be confined by apparmor, so is this tapfd, I think this is fine. Yes, agreed. > > If you think it is reasonable, I will rebase that patch and send > a v2. Yep, I think it is reasonable and necessary. I finally got around to testing your patch and it is indeed needed when using macvtap with apparmor-confined guests. Thanks for looking into this! Regards, Jim -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list