On Tue, 1 Apr 2025 at 14:22, Andrea Bolognani <abolo...@redhat.com> wrote: > > On Tue, Apr 01, 2025 at 10:55:28AM +0200, Alessandro wrote: > > We attempted multiple ways to clean up dynamic files; however, we must > > preserve user overrides, which requires keeping the file > > /etc/apparmor.d/libvirt/libvirt-uuid > > > > This commit proposes to move user overrides into > > /etc/apparmor.d/libvirt/libvirt-uuid.local and include it, if present, > > unconditionally. When we stop the domain, we remove libvirt.uuid and > > libvirt-uuid.files, whereas we preserve libvirt-uuid.local if present. > > The way you describe things, it sounds like the AppArmor driver > already expects local overrides to exist. Is that documented > anywhere? If so, an update is probably needed. And either way, this > file you're introducing and its purpose will have to be documented.
Thank you for your remark, Andrea. AFAICT, it's documented here https://gitlab.com/apparmor/apparmor/-/wikis/Libvirt#advanced-usage and in docs/drvqemu.rst. If my proposal is accepted, I'll update those pages accordingly with a separate patch, clearly stating that the behaviour has changed and the user overrides must be saved into the /etc/apparmor.d/libvirt/libvirt-uuid.local file. I don't know if I can modify the Gitlab wiki's sending a patch though :) Thank you, Best regards A.
