From dfd960bca6cef65e12d5f2b23224fbae67493e35 Mon Sep 17 00:00:00 2001
From: Jamie Strandboge <jamie@ubuntu.com>
Date: Tue, 19 Dec 2017 16:03:43 +0100
Subject: [PATCH] apparmor, libvirtd: Allow ixr to /var/lib/libvirt/virtd*

This is required for the ebtables functionality added in
libvirt 0.8.0.

Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
---
 examples/apparmor/usr.sbin.libvirtd | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index febe8a4075..a1083b0410 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -79,6 +79,10 @@
   /usr/{lib,lib64}/xen/bin/* Ux,
   /usr/lib/xen-*/bin/libxl-save-helper PUx,
 
+  # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
+  # read and run an ebtables script.
+  /var/lib/libvirt/virtd* ixr,
+
   # force the use of virt-aa-helper
   audit deny /{usr/,}sbin/apparmor_parser rwxl,
   audit deny /etc/apparmor.d/libvirt/** wxl,