On Mon, 14 Jan 2019, Jim Fehlig wrote: > Signed-off-by: Jim Fehlig <jfehlig(a)suse.com&gt; > --- > > Optional patch that may need a bit of coorindation with upstream apparmor > since the dnsmasq profile currently has 'peer=/usr/sbin/libvirtd'. > > src/security/apparmor/usr.sbin.libvirtd | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd > index 0db52c524c..29f9936ad9 100644 > --- a/src/security/apparmor/usr.sbin.libvirtd > +++ b/src/security/apparmor/usr.sbin.libvirtd > @@ -2,7 +2,7 @@ > #include <tunables/global> > @{LIBVIRT}="libvirt" > > -/usr/sbin/libvirtd flags=(attach_disconnected) { > +profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { > #include <abstractions/base> > #include <abstractions/dbus> > > @@ -51,7 +51,7 @@ > unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none), > > ptrace (read,trace) peer=unconfined, > - ptrace (read,trace) peer=/usr/sbin/libvirtd, > + ptrace (read,trace) peer=@{profile_name}, > ptrace (read,trace) peer=dnsmasq, > ptrace (read,trace) peer=/usr/sbin/dnsmasq, > ptrace (read,trace) peer=libvirt-*, > @@ -123,6 +123,7 @@ > # For communication/control from libvirtd > unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), > signal (receive) set=("term") peer=/usr/sbin/libvirtd, > + signal (receive) set=("term") peer=libvirtd, > > /dev/net/tun rw, > /etc/qemu/** r, This also LGTM. It'd be nice if there was a mechanism to specify the parent profile like we can the current profile, but we can't now and this is fine.