libvirt/examples/apparmor/usr.lib.libvirt.virt-aa-helper

# Last Modified: Mon Jul  06 17:22:37 2009
#include <tunables/global>

/usr/lib/libvirt/virt-aa-helper {
  #include <abstractions/base>

  # needed for searching directories
  capability dac_override,
  capability dac_read_search,

  # needed for when disk is on a network filesystem
  network inet,

  deny @{PROC}/[0-9]*/mounts r,
  @{PROC}/filesystems r,

  /usr/lib/libvirt/virt-aa-helper mr,
  /sbin/apparmor_parser Ux,

  /etc/apparmor.d/libvirt/* r,
  /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
}
Documentation and examples for SVirt Apparmor driver * docs/drvqemu.html.in: include documentation for AppArmor sVirt confinement * examples/apparmor/TEMPLATE examples/apparmor/libvirt-qemu examples/apparmor/usr.lib.libvirt.virt-aa-helper examples/apparmor/usr.sbin.libvirtd: example templates and configuration files for SVirt Apparmor when using KVM/QEmu 2009-10-08 14:42:05 +00:00			`# Last Modified: Mon Jul 06 17:22:37 2009`
			`#include <tunables/global>`

			`/usr/lib/libvirt/virt-aa-helper {`
			`#include <abstractions/base>`

			`# needed for searching directories`
			`capability dac_override,`
			`capability dac_read_search,`

			`# needed for when disk is on a network filesystem`
			`network inet,`

			`deny @{PROC}/[0-9]*/mounts r,`
			`@{PROC}/filesystems r,`

			`/usr/lib/libvirt/virt-aa-helper mr,`
			`/sbin/apparmor_parser Ux,`

			`/etc/apparmor.d/libvirt/* r,`
			`/etc/apparmor.d/libvirt/libvirt-[0-9a-f]-[0-9a-f]-[0-9a-f]-[0-9a-f]-[0-9a-f]* rw,`
			`}`