# Last Modified: Mon Apr  5 15:03:58 2010
#include <tunables/global>
@{LIBVIRT}="libvirt"

/usr/sbin/libvirtd {
  #include <abstractions/base>

  capability kill,
  capability net_admin,
  capability net_raw,
  capability setgid,
  capability sys_admin,
  capability sys_module,
  capability sys_ptrace,
  capability sys_nice,
  capability sys_chroot,
  capability setuid,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability chown,
  capability setpcap,
  capability mknod,
  capability fsetid,

  network inet stream,
  network inet dgram,
  network inet6 stream,
  network inet6 dgram,

  # Very lenient profile for libvirtd since we want to first focus on confining
  # the guests. Guests will have a very restricted profile.
  /** rwmkl,

  /bin/* Ux,
  /sbin/* Ux,
  /usr/bin/* Ux,
  /usr/sbin/* Ux,

  # force the use of virt-aa-helper
  audit deny /sbin/apparmor_parser rwxl,
  audit deny /etc/apparmor.d/libvirt/** wxl,
  audit deny /sys/kernel/security/apparmor/features rwxl,
  audit deny /sys/kernel/security/apparmor/matching rwxl,
  audit deny /sys/kernel/security/apparmor/.* rwxl,
  /sys/kernel/security/apparmor/profiles r,
  /usr/lib/libvirt/* PUxr,

  # allow changing to our UUID-based named profiles
  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,

}