File apparmor-alt-seclabel.patch of Package libvirt.6159

commit 8f6a7866102346691fce84ade9a6d8534aaffcdc
Author: Jim Fehlig <jfehlig@suse.com>
Date:   Thu Feb 2 19:26:13 2017 -0700

    apparmor: don't fail on non-apparmor <seclabel>
    
    If the apparmor security driver is loaded/enabled and domain config
    contains a <seclabel> element whose type attribute is not 'apparmor',
    starting the domain fails when attempting to label resources such
    as tap FDs.
    
    Many of the apparmor driver entry points attempt to retrieve the
    apparmor security label from the domain def, returning failure if
    not found. Functions such as AppArmorSetFDLabel fail even though
    domain config contains an explicit 'none' secuirty driver, e.g.
    
      <seclabel type='none' model='none'/>
    
    Change the entry points to succeed if the domain config <seclabel>
    is not apparmor. This matches the behavior of the selinux driver.

Index: libvirt-2.0.0/src/security/security_apparmor.c
===================================================================
--- libvirt-2.0.0.orig/src/security/security_apparmor.c
+++ libvirt-2.0.0/src/security/security_apparmor.c
@@ -288,10 +288,7 @@ reload_profile(virSecurityManagerPtr mgr
     virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(
                                                 def, SECURITY_APPARMOR_NAME);
 
-    if (!secdef)
-        return rc;
-
-    if (!secdef->relabel)
+    if (!secdef || !secdef->relabel)
         return 0;
 
     if ((profile_name = get_profile_name(def)) == NULL)
@@ -427,7 +424,7 @@ AppArmorGenSecurityLabel(virSecurityMana
                                                 SECURITY_APPARMOR_NAME);
 
     if (!secdef)
-        return -1;
+        return 0;
 
     if ((secdef->type == VIR_DOMAIN_SECLABEL_STATIC) ||
         (secdef->type == VIR_DOMAIN_SECLABEL_NONE))
@@ -487,10 +484,7 @@ AppArmorSetSecurityAllLabel(virSecurityM
 {
     virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def,
                                                     SECURITY_APPARMOR_NAME);
-    if (!secdef)
-        return -1;
-
-    if (!secdef->relabel)
+    if (!secdef || !secdef->relabel)
         return 0;
 
     /* Reload the profile if stdin_path is specified. Note that
@@ -551,12 +545,11 @@ AppArmorReleaseSecurityLabel(virSecurity
 {
     virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def,
                                                         SECURITY_APPARMOR_NAME);
-    if (!secdef)
-        return -1;
-
-    VIR_FREE(secdef->model);
-    VIR_FREE(secdef->label);
-    VIR_FREE(secdef->imagelabel);
+    if (secdef) {
+        VIR_FREE(secdef->model);
+        VIR_FREE(secdef->label);
+        VIR_FREE(secdef->imagelabel);
+    }
 
     return 0;
 }
@@ -572,7 +565,7 @@ AppArmorRestoreSecurityAllLabel(virSecur
         virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
 
     if (!secdef)
-        return -1;
+        return 0;
 
     if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
         if ((rc = remove_profile(secdef->label)) != 0) {
@@ -596,10 +589,7 @@ AppArmorSetSecurityProcessLabel(virSecur
     virSecurityLabelDefPtr secdef =
         virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
 
-    if (!secdef)
-        return -1;
-
-    if (secdef->label == NULL)
+    if (!secdef || !secdef->label)
         return 0;
 
     if ((profile_name = get_profile_name(def)) == NULL)
@@ -645,10 +635,7 @@ AppArmorSetSecurityChildProcessLabel(vir
     virSecurityLabelDefPtr secdef =
         virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
 
-    if (!secdef)
-        goto cleanup;
-
-    if (secdef->label == NULL)
+    if (!secdef || !secdef->label)
         return 0;
 
     if (STRNEQ(SECURITY_APPARMOR_NAME, secdef->model)) {
@@ -730,10 +717,8 @@ AppArmorSetSecurityImageLabel(virSecurit
     if (!src->path || !virStorageSourceIsLocalStorage(src))
         return 0;
 
-    if (!(secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME)))
-        return -1;
-
-    if (!secdef->relabel)
+    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
+    if (!secdef || !secdef->relabel)
         return 0;
 
     if (secdef->imagelabel) {
@@ -784,7 +769,7 @@ AppArmorSecurityVerify(virSecurityManage
         virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
 
     if (!secdef)
-        return -1;
+        return 0;
 
     if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) {
         if (use_apparmor() < 0 || profile_status(secdef->label, 0) < 0) {
@@ -820,10 +805,7 @@ AppArmorSetSecurityHostdevLabel(virSecur
     virDomainHostdevSubsysPCIPtr pcisrc = &dev->source.subsys.u.pci;
     virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
 
-    if (!secdef)
-        return -1;
-
-    if (!secdef->relabel)
+    if (!secdef || !secdef->relabel)
         return 0;
 
     if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
@@ -918,10 +900,7 @@ AppArmorRestoreSecurityHostdevLabel(virS
     virSecurityLabelDefPtr secdef =
         virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
 
-    if (!secdef)
-        return -1;
-
-    if (!secdef->relabel)
+    if (!secdef || !secdef->relabel)
         return 0;
 
     return reload_profile(mgr, def, NULL, false);
@@ -956,10 +935,7 @@ AppArmorSetFDLabel(virSecurityManagerPtr
     virSecurityLabelDefPtr secdef =
         virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
 
-    if (!secdef)
-        return -1;
-
-    if (secdef->imagelabel == NULL)
+    if (!secdef || !secdef->imagelabel)
         return 0;
 
     if (virAsprintf(&proc, "/proc/self/fd/%d", fd) == -1)