From: Jamie Strandboge <jamie@ubuntu.com>
Date: Tue, 19 Dec 2017 15:03:43 +0000 (+0100)
Subject: apparmor, libvirtd: Allow ixr to /var/lib/libvirt/virtd*
X-Git-Tag: v4.0.0-rc1~42
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dfd960bca6cef65e12d5f2b23224fbae67493e35;p=thirdparty%2Flibvirt.git

apparmor, libvirtd: Allow ixr to /var/lib/libvirt/virtd*

This is required for the ebtables functionality added in
libvirt 0.8.0.

Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
---

diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index febe8a4075..a1083b0410 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -79,6 +79,10 @@
   /usr/{lib,lib64}/xen/bin/* Ux,
   /usr/lib/xen-*/bin/libxl-save-helper PUx,
 
+  # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
+  # read and run an ebtables script.
+  /var/lib/libvirt/virtd* ixr,
+
   # force the use of virt-aa-helper
   audit deny /{usr/,}sbin/apparmor_parser rwxl,
   audit deny /etc/apparmor.d/libvirt/** wxl,