On 11/05/2017 08:29 AM, [email protected] wrote:
From: intrigeri <[email protected]>
---
examples/apparmor/libvirt-qemu | 4 ++++
examples/apparmor/usr.sbin.libvirtd | 6 ++++++
2 files changed, 10 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 97dd2d45a9..9d487bf92f 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -16,6 +16,10 @@
network inet stream,
network inet6 stream,
+ ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
+
+ signal (receive) peer=/usr/sbin/libvirtd,
+
/dev/net/tun rw,
/dev/kvm rw,
/dev/ptmx rw,
diff --git a/examples/apparmor/usr.sbin.libvirtd
b/examples/apparmor/usr.sbin.libvirtd
index 819068ffc3..d2831aa491 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -30,10 +30,13 @@
# Needed for vfio
capability sys_resource,
+ mount,
+
I suppose this isn't needed here since it is removed in 2/2?
Regards,
Jim
network inet stream,
network inet dgram,
network inet6 stream,
network inet6 dgram,
+ network netlink raw,
network packet dgram,
network packet raw,
@@ -42,6 +45,9 @@
ptrace (trace) peer=/usr/sbin/dnsmasq,
ptrace (trace) peer=libvirt-*,
+ signal (send) peer=/usr/sbin/dnsmasq,
+ signal (read, send) peer=libvirt-*,
+
# Very lenient profile for libvirtd since we want to first focus on
confining
# the guests. Guests will have a very restricted profile.
/ r,
--
libvir-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/libvir-list
