# Last Modified: Mon Apr 5 15:03:58 2010 #include @{LIBVIRT}="libvirt" /usr/sbin/libvirtd flags=(attach_disconnected) { #include #include capability kill, capability net_admin, capability net_raw, capability setgid, capability sys_admin, capability sys_module, capability sys_ptrace, capability sys_pacct, capability sys_nice, capability sys_chroot, capability setuid, capability dac_override, capability dac_read_search, capability fowner, capability chown, capability setpcap, capability mknod, capability fsetid, capability audit_write, capability ipc_lock, # Needed for vfio capability sys_resource, mount options=(rw,rslave) -> /, mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/, # libvirt provides any mounts under /dev to qemu namespaces mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/, mount options=(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/}, mount options=(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/, mount options=(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**, network inet stream, network inet dgram, network inet6 stream, network inet6 dgram, network netlink raw, network packet dgram, network packet raw, # for --p2p migrations unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none), ptrace (read,trace) peer=unconfined, ptrace (read,trace) peer=/usr/sbin/libvirtd, ptrace (read,trace) peer=/usr/sbin/dnsmasq, ptrace (read,trace) peer=libvirt-*, signal (send) peer=/usr/sbin/dnsmasq, signal (read, send) peer=libvirt-*, signal (send) set=("kill", "term") peer=unconfined, # For communication/control to qemu-bridge-helper unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd//qemu_bridge_helper), signal (send) set=("term") peer=/usr/sbin/libvirtd//qemu_bridge_helper, # allow connect with openGraphicsFD, direction reversed in newer versions unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*), # unconfined also required if guests run without security module unix (send, receive) type=stream addr=none peer=(label=unconfined), # required if guests run unconfined seclabel type='none' but libvirtd is confined signal (read, send) peer=unconfined, # Very lenient profile for libvirtd since we want to first focus on confining # the guests. Guests will have a very restricted profile. / r, /** rwmkl, /bin/* PUx, /sbin/* PUx, /usr/bin/* PUx, /usr/sbin/virtlogd pix, /usr/sbin/* PUx, /{usr/,}lib/udev/scsi_id PUx, /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, /usr/{lib,lib64}/xen/bin/* Ux, /usr/lib/xen-*/bin/libxl-save-helper PUx, # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to # read and run an ebtables script. /var/lib/libvirt/virtd* ixr, # force the use of virt-aa-helper audit deny /{usr/,}sbin/apparmor_parser rwxl, audit deny /etc/apparmor.d/libvirt/** wxl, audit deny /sys/kernel/security/apparmor/features rwxl, audit deny /sys/kernel/security/apparmor/matching rwxl, audit deny /sys/kernel/security/apparmor/.* rwxl, /sys/kernel/security/apparmor/profiles r, /usr/{lib,lib64}/libvirt/* PUxr, /usr/{lib,lib64}/libvirt/libvirt_parthelper ix, /usr/{lib,lib64}/libvirt/libvirt_iohelper ix, /etc/libvirt/hooks/** rmix, /etc/xen/scripts/** rmix, # allow changing to our UUID-based named profiles change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, # child profile for bridge helper process profile qemu_bridge_helper { #include capability setuid, capability setgid, capability setpcap, capability net_admin, network inet stream, # For communication/control from libvirtd unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), signal (receive) set=("term") peer=/usr/sbin/libvirtd, /dev/net/tun rw, /etc/qemu/** r, owner @{PROC}/*/status r, /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, } }