Re: [PATCH] Fix starting qemu instances when apparmor driver is enabled

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Guannan Ren wrote:
> On 03/02/2013 12:41 AM, Jim Fehlig wrote:
>> Guannan Ren wrote:
>>
>>>      Hi Jim
>>>
>>>         In selinux, libvirt added a label for tapfd.
>>>         Do you think this patch makes sense for apparmor?
>>> https://www.redhat.com/archives/libvir-list/2012-October/msg01461.html
>> Hi Gunannan,
>>
>> Apologies for missing your initial post of that series.  I see that you
>> fixed this exact bug in 2/3 :(.
>>
>> I think 3/3 does make sense for apparmor, but I'm not sure about using
>> AppArmorSetImageFDLabel() as a common function.  It returns if
>> secdef->imagelabel == NULL, which would be incorrect if labeling a tap
>> fd right?
>>
>> I promise not to miss the patch if you respin it :).
>>
>> Regards,
>> Jim
>>
>
>      Nothing to apologize, I really don't know much about apparmor.
> The tapfd I mean here
>      is not used by libvirt deamon, it is a tapfd created on
> particular guest which is using macvtap driver
>      to attach virtual NIC to a given physical interface.
>      From the code, the secdef->imagelabel have the same value as
> secdef->label
>      which is libvirt-{uuid} file in /etc/apparmor.d/libvirt folder. 
> If it is null, that means the guest will not
>      be confined by apparmor, so is this tapfd, I think this is fine.

Yes, agreed.

>
>      If you think it is reasonable, I will rebase that patch and send
> a v2.

Yep, I think it is reasonable and necessary.  I finally got around to
testing your patch and it is indeed needed when using macvtap with
apparmor-confined guests.

Thanks for looking into this!

Regards,
Jim

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]