git.ipfire.org Git - thirdparty/libvirt.git/commit

author	Mike Latimer <mlatimer@suse.com>
	Tue, 20 Jan 2015 01:25:40 +0000 (18:25 -0700)
committer	Cédric Bosdonnat <cbosdonnat@suse.com>
	Fri, 23 Jan 2015 10:11:53 +0000 (11:11 +0100)
commit	b61fb8e8af13d98bb4eebbb1fddefebf93d7d4f1
tree	fe79565840ab9ca6c30a57ae2b7a0072943c73cf	tree
parent	852cea52ec2e0db63b561ca1fdffb5250eaf737e	commit \| diff

Fix apparmor issues for Xen

In order for apparmor to work properly in Xen environments, the following
access rights need to be allowed:

- Allow CAP_SYS_PACCT, which is required when resetting some multi-port
   Broadcom cards by writting to the PCI config space

- Allow CAP_IPC_LOCK, which is required to lock/unlock memory. Without
   this setting, an error 'Resource temporarily unavailable' can be seen
   while attempting to mmap memory. At the same time, the following
   apparmor message is seen:

   apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/libvirtd"
   pid=2097 comm="libvirtd" pid=2097 comm="libvirtd" capability=14
   capname="ipc_lock"

- Allow access to distribution specific directories:
     /usr/{lib,lib64}/xen/bin