Public bug reported: Commit 12317957ecd6c37a2fb16275dcdeeacfe25c517 introduced an incompatible architectural change for the AppArmor security driver. Specifically, virSecurityManagerSetAllLabel() is now called much later in src/qemu/qemu_process.c:qemuProcessStart(). Previously, SetAllLabel() was called immediately after GenLabel() such that after the dynamic label (profile name) was generated, SetAllLabel() would be called to create and load the AppArmor profile into the kernel before qemuProcessHook() was executed. With 12317957ecd6c37a2fb16275dcdeeacfe25c517, qemuProcessHook() is now called before SetAllLabel(), such that aa_change_profile() ends up being called before the AppArmor profile is loaded into the kernel (via ProcessLabel() in qemuProcessHook()).
While 0.9.2 is not in Ubuntu yet, this functionality must be fixed if we are to have new libvirt releases in Ubuntu. ** Affects: libvirt (Ubuntu) Importance: Critical Assignee: Jamie Strandboge (jdstrand) Status: In Progress ** Affects: libvirt (Ubuntu Oneiric) Importance: Critical Assignee: Jamie Strandboge (jdstrand) Status: In Progress ** Also affects: libvirt (Ubuntu Oneiric) Importance: Undecided Status: New ** Changed in: libvirt (Ubuntu Oneiric) Importance: Undecided => Critical ** Changed in: libvirt (Ubuntu Oneiric) Status: New => In Progress ** Changed in: libvirt (Ubuntu Oneiric) Milestone: None => oneiric-alpha-2 ** Changed in: libvirt (Ubuntu Oneiric) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/801569 Title: apparmor security driver broken in 0.9.2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/801569/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs