# Last Modified: Mon Apr 5 15:03:58 2010 #include @{LIBVIRT}="libvirt" /usr/sbin/libvirtd flags=(attach_disconnected) { #include #include capability kill, capability net_admin, capability net_raw, capability setgid, capability sys_admin, capability sys_module, capability sys_ptrace, capability sys_pacct, capability sys_nice, capability sys_chroot, capability setuid, capability dac_override, capability dac_read_search, capability fowner, capability chown, capability setpcap, capability mknod, capability fsetid, capability audit_write, capability ipc_lock, # Needed for vfio capability sys_resource, mount options=(rw,rslave) -> /, mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/, mount options=(rw, move) /dev/ -> /{var/,}run/libvirt/qemu/*.dev/, mount options=(rw, move) /dev/hugepages/ -> /{var/,}run/libvirt/qemu/*.hugepages/, mount options=(rw, move) /dev/mqueue/ -> /{var/,}run/libvirt/qemu/*.mqueue/, mount options=(rw, move) /dev/pts/ -> /{var/,}run/libvirt/qemu/*.pts/, mount options=(rw, move) /dev/shm/ -> /{var/,}run/libvirt/qemu/*.shm/, mount options=(rw, move) /{var/,}run/libvirt/qemu/*.dev/ -> /dev/, mount options=(rw, move) /{var/,}run/libvirt/qemu/*.hugepages/ -> /dev/hugepages/, mount options=(rw, move) /{var/,}run/libvirt/qemu/*.mqueue/ -> /dev/mqueue/, mount options=(rw, move) /{var/,}run/libvirt/qemu/*.pts/ -> /dev/pts/, mount options=(rw, move) /{var/,}run/libvirt/qemu/*.shm/ -> /dev/shm/, network inet stream, network inet dgram, network inet6 stream, network inet6 dgram, network netlink raw, network packet dgram, network packet raw, # for --p2p migrations unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none), ptrace (trace) peer=unconfined, ptrace (trace) peer=/usr/sbin/libvirtd, ptrace (trace) peer=/usr/sbin/dnsmasq, ptrace (trace) peer=libvirt-*, signal (send) peer=/usr/sbin/dnsmasq, signal (read, send) peer=libvirt-*, # Very lenient profile for libvirtd since we want to first focus on confining # the guests. Guests will have a very restricted profile. / r, /** rwmkl, /bin/* PUx, /sbin/* PUx, /usr/bin/* PUx, /usr/sbin/virtlogd pix, /usr/sbin/* PUx, /{usr/,}lib/udev/scsi_id PUx, /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, /usr/{lib,lib64}/xen/bin/* Ux, /usr/lib/xen-*/bin/libxl-save-helper PUx, # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to # read and run an ebtables script. /var/lib/libvirt/virtd* ixr, # force the use of virt-aa-helper audit deny /{usr/,}sbin/apparmor_parser rwxl, audit deny /etc/apparmor.d/libvirt/** wxl, audit deny /sys/kernel/security/apparmor/features rwxl, audit deny /sys/kernel/security/apparmor/matching rwxl, audit deny /sys/kernel/security/apparmor/.* rwxl, /sys/kernel/security/apparmor/profiles r, /usr/{lib,lib64}/libvirt/* PUxr, /usr/{lib,lib64}/libvirt/libvirt_parthelper ix, /usr/{lib,lib64}/libvirt/libvirt_iohelper ix, /etc/libvirt/hooks/** rmix, /etc/xen/scripts/** rmix, # allow changing to our UUID-based named profiles change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, # child profile for bridge helper process profile qemu_bridge_helper { #include capability setuid, capability setgid, capability setpcap, capability net_admin, network inet stream, /dev/net/tun rw, /etc/qemu/** r, owner @{PROC}/*/status r, /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, } }