-# Last Modified: Fri Nov 6 16:41:59 2009
+# Last Modified: Mon Apr 5 15:11:27 2010
#include <abstractions/base>
#include <abstractions/consoles>
/dev/kvm rw,
/dev/ptmx rw,
/dev/kqemu rw,
+ @{PROC}/*/status r,
- # WARNING: uncommenting these gives the guest direct access to host hardware.
- # This is required for USB pass through but is a security risk. You have been
- # warned.
- #/sys/bus/usb/devices/ r,
- #/sys/devices/*/*/usb[0-9]*/** r,
- #/dev/bus/usb/*/[0-9]* rw,
+ # For hostdev access. The actual devices will be added dynamically
+ /sys/bus/usb/devices/ r,
+ /sys/devices/*/*/usb[0-9]*/** r,
# WARNING: this gives the guest direct access to host hardware and specific
# portions of shared memory. This is required for sound using ALSA with kvm,
# unless you absolutely need it.
deny capability kill,
+ # Uncomment the following if you need access to /dev/fb*
+ #/dev/fb* rw,
+
/etc/pulse/client.conf r,
@{HOME}/.pulse-cookie rwk,
owner /root/.pulse-cookie rwk,
/usr/share/openhackware/** r,
/usr/share/proll/** r,
/usr/share/vgabios/** r,
+ /usr/share/seabios/** r,
+
+ # access PKI infrastructure
+ /etc/pki/libvirt-vnc/** r,
# the various binaries
/usr/bin/kvm rmix,
/bin/dash rmix,
/bin/dd rmix,
/bin/cat rmix,
-
- # The svirt driver does not relabel the state file
- # (https://bugzilla.redhat.com/show_bug.cgi?id=529363) resulting in denied
- # messages. Uncommenting these lines can work around this somewhat by
- # allowing users to save state files in the specified directory. We use
- # 'owner' to make sure we don't overwrite the user's files.
- #owner @{HOME}/libvirt-state-files/ r,
- #owner @{HOME}/libvirt-state-files/** rw,
-# Last Modified: Mon Jul 06 17:22:37 2009
+# Last Modified: Mon Apr 5 15:10:27 2010
#include <tunables/global>
/usr/lib/libvirt/virt-aa-helper {
deny @{PROC}/[0-9]*/mounts r,
@{PROC}/filesystems r,
+ # for hostdev
+ /sys/devices/ r,
+ /sys/devices/** r,
+
/usr/lib/libvirt/virt-aa-helper mr,
/sbin/apparmor_parser Ux,
/etc/apparmor.d/libvirt/* r,
/etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+
+ # for backingstore -- allow access to non-hidden files in @{HOME} as well
+ # as storage pools
+ audit deny @{HOME}/.* mrwkl,
+ audit deny @{HOME}/.*/ rw,
+ audit deny @{HOME}/.*/** mrwkl,
+ audit deny @{HOME}/bin/ rw,
+ audit deny @{HOME}/bin/** mrwkl,
+ @{HOME}/ r,
+ @{HOME}/** r,
+ /var/lib/libvirt/images/ r,
+ /var/lib/libvirt/images/** r,
}
-# Last Modified: Wed Sep 23 23:23:58 2009
+# Last Modified: Mon Apr 5 15:03:58 2010
#include <tunables/global>
@{LIBVIRT}="libvirt"
capability chown,
capability setpcap,
capability mknod,
+ capability fsetid,
network inet stream,
network inet dgram,
/sbin/* Ux,
/usr/bin/* Ux,
/usr/sbin/* Ux,
- /usr/lib/libvirt/* Ux,
# force the use of virt-aa-helper
audit deny /sbin/apparmor_parser rwxl,
audit deny /sys/kernel/security/apparmor/matching rwxl,
audit deny /sys/kernel/security/apparmor/.* rwxl,
/sys/kernel/security/apparmor/profiles r,
- /usr/lib/libvirt/virt-aa-helper Pxr,
+ /usr/lib/libvirt/* PUxr,
# allow changing to our UUID-based named profiles
change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
projects / thirdparty / libvirt.git / commitdiff
