File install-apparmor-profiles.patch of Package libvirt

Index: libvirt-1.2.5/examples/apparmor/Makefile.am
===================================================================
--- libvirt-1.2.5.orig/examples/apparmor/Makefile.am
+++ libvirt-1.2.5/examples/apparmor/Makefile.am
@@ -19,10 +19,22 @@ EXTRA_DIST=				\
 	TEMPLATE.lxc			\
 	libvirt-qemu			\
 	libvirt-lxc 			\
-	usr.lib.libvirt.virt-aa-helper	\
-	usr.sbin.libvirtd
+	usr.lib.libvirt.virt-aa-helper.in	\
+	usr.sbin.libvirtd.in
 
 if WITH_APPARMOR_PROFILES
+usr.lib.libvirt.virt-aa-helper: usr.lib.libvirt.virt-aa-helper.in
+	sed                                     \
+	    -e 's![@]libdir[@]!$(libdir)!g'     \
+	    < $< > $@-t
+	mv $@-t $@
+
+usr.sbin.libvirtd: usr.sbin.libvirtd.in
+	sed                                     \
+	    -e 's![@]libdir[@]!$(libdir)!g'     \
+	    < $< > $@-t
+	mv $@-t $@
+
 apparmordir = $(sysconfdir)/apparmor.d/
 apparmor_DATA = \
 	usr.lib.libvirt.virt-aa-helper \
Index: libvirt-1.2.5/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
===================================================================
--- /dev/null
+++ libvirt-1.2.5/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -0,0 +1,48 @@
+# Last Modified: Mon Apr  5 15:10:27 2010
+#include <tunables/global>
+
+@libdir@/libvirt/virt-aa-helper {
+  #include <abstractions/base>
+
+  # needed for searching directories
+  capability dac_override,
+  capability dac_read_search,
+
+  # needed for when disk is on a network filesystem
+  network inet,
+
+  deny @{PROC}/[0-9]*/mounts r,
+  @{PROC}/[0-9]*/net/psched r,
+  owner @{PROC}/[0-9]*/status r,
+  @{PROC}/filesystems r,
+
+  # for hostdev
+  /sys/devices/ r,
+  /sys/devices/** r,
+
+  @libdir@/libvirt/virt-aa-helper mr,
+  /sbin/apparmor_parser Ux,
+
+  /etc/apparmor.d/libvirt/* r,
+  /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+
+  # for backingstore -- allow access to non-hidden files in @{HOME} as well
+  # as storage pools
+  audit deny @{HOME}/.* mrwkl,
+  audit deny @{HOME}/.*/ rw,
+  audit deny @{HOME}/.*/** mrwkl,
+  audit deny @{HOME}/bin/ rw,
+  audit deny @{HOME}/bin/** mrwkl,
+  @{HOME}/ r,
+  @{HOME}/** r,
+  /var/lib/libvirt/images/ r,
+  /var/lib/libvirt/images/** r,
+  /{media,mnt,opt,srv}/** r,
+
+  /**.img r,
+  /**.qcow{,2} r,
+  /**.qed r,
+  /**.vmdk r,
+  /**.[iI][sS][oO] r,
+  /**/disk{,.*} r,
+}
Index: libvirt-1.2.5/examples/apparmor/usr.sbin.libvirtd.in
===================================================================
--- /dev/null
+++ libvirt-1.2.5/examples/apparmor/usr.sbin.libvirtd.in
@@ -0,0 +1,70 @@
+# Last Modified: Mon Apr  5 15:03:58 2010
+#include <tunables/global>
+@{LIBVIRT}="libvirt"
+
+/usr/sbin/libvirtd {
+  #include <abstractions/base>
+  #include <abstractions/dbus>
+
+  capability kill,
+  capability net_admin,
+  capability net_raw,
+  capability setgid,
+  capability sys_admin,
+  capability sys_module,
+  capability sys_ptrace,
+  capability sys_pacct,
+  capability sys_nice,
+  capability sys_chroot,
+  capability setuid,
+  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability chown,
+  capability setpcap,
+  capability mknod,
+  capability fsetid,
+  capability audit_write,
+  capability ipc_lock,
+
+  # Needed for vfio
+  capability sys_resource,
+
+  network inet stream,
+  network inet dgram,
+  network inet6 stream,
+  network inet6 dgram,
+  network packet dgram,
+  network packet raw,
+
+  # Very lenient profile for libvirtd since we want to first focus on confining
+  # the guests. Guests will have a very restricted profile.
+  / r,
+  /** rwmkl,
+
+  /bin/* PUx,
+  /sbin/* PUx,
+  /usr/bin/* PUx,
+  /usr/sbin/* PUx,
+  /lib/udev/scsi_id PUx,
+  /usr/lib/xen/bin/* Ux,
+  /usr/lib64/xen/bin/* Ux,
+  /usr/lib/polkit-1/polkit-agent-helper Px,
+
+  # force the use of virt-aa-helper
+  audit deny /sbin/apparmor_parser rwxl,
+  audit deny /etc/apparmor.d/libvirt/** wxl,
+  audit deny /sys/kernel/security/apparmor/features rwxl,
+  audit deny /sys/kernel/security/apparmor/matching rwxl,
+  audit deny /sys/kernel/security/apparmor/.* rwxl,
+  /sys/kernel/security/apparmor/profiles r,
+  @libdir@/libvirt/* PUxr,
+  /etc/libvirt/hooks/** rmix,
+  /etc/xen/scripts/** rmix,
+  @libdir@/libvirt/libvirt_parthelper Ux,
+  @libdir@/libvirt/libvirt_iohelper Ux,
+
+  # allow changing to our UUID-based named profiles
+  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+
+}
Index: libvirt-1.2.5/examples/apparmor/usr.lib.libvirt.virt-aa-helper
===================================================================
--- libvirt-1.2.5.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ /dev/null
@@ -1,48 +0,0 @@
-# Last Modified: Mon Apr  5 15:10:27 2010
-#include <tunables/global>
-
-/usr/lib/libvirt/virt-aa-helper {
-  #include <abstractions/base>
-
-  # needed for searching directories
-  capability dac_override,
-  capability dac_read_search,
-
-  # needed for when disk is on a network filesystem
-  network inet,
-
-  deny @{PROC}/[0-9]*/mounts r,
-  @{PROC}/[0-9]*/net/psched r,
-  owner @{PROC}/[0-9]*/status r,
-  @{PROC}/filesystems r,
-
-  # for hostdev
-  /sys/devices/ r,
-  /sys/devices/** r,
-
-  /usr/lib/libvirt/virt-aa-helper mr,
-  /sbin/apparmor_parser Ux,
-
-  /etc/apparmor.d/libvirt/* r,
-  /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
-
-  # for backingstore -- allow access to non-hidden files in @{HOME} as well
-  # as storage pools
-  audit deny @{HOME}/.* mrwkl,
-  audit deny @{HOME}/.*/ rw,
-  audit deny @{HOME}/.*/** mrwkl,
-  audit deny @{HOME}/bin/ rw,
-  audit deny @{HOME}/bin/** mrwkl,
-  @{HOME}/ r,
-  @{HOME}/** r,
-  /var/lib/libvirt/images/ r,
-  /var/lib/libvirt/images/** r,
-  /{media,mnt,opt,srv}/** r,
-
-  /**.img r,
-  /**.qcow{,2} r,
-  /**.qed r,
-  /**.vmdk r,
-  /**.[iI][sS][oO] r,
-  /**/disk{,.*} r,
-}
Index: libvirt-1.2.5/examples/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-1.2.5.orig/examples/apparmor/usr.sbin.libvirtd
+++ /dev/null
@@ -1,63 +0,0 @@
-# Last Modified: Mon Apr  5 15:03:58 2010
-#include <tunables/global>
-@{LIBVIRT}="libvirt"
-
-/usr/sbin/libvirtd {
-  #include <abstractions/base>
-  #include <abstractions/dbus>
-
-  capability kill,
-  capability net_admin,
-  capability net_raw,
-  capability setgid,
-  capability sys_admin,
-  capability sys_module,
-  capability sys_ptrace,
-  capability sys_nice,
-  capability sys_chroot,
-  capability setuid,
-  capability dac_override,
-  capability dac_read_search,
-  capability fowner,
-  capability chown,
-  capability setpcap,
-  capability mknod,
-  capability fsetid,
-  capability audit_write,
-
-  # Needed for vfio
-  capability sys_resource,
-
-  network inet stream,
-  network inet dgram,
-  network inet6 stream,
-  network inet6 dgram,
-  network packet dgram,
-
-  # Very lenient profile for libvirtd since we want to first focus on confining
-  # the guests. Guests will have a very restricted profile.
-  / r,
-  /** rwmkl,
-
-  /bin/* PUx,
-  /sbin/* PUx,
-  /usr/bin/* PUx,
-  /usr/sbin/* PUx,
-  /lib/udev/scsi_id PUx,
-  /usr/lib/xen-common/bin/xen-toolstack PUx,
-
-  # force the use of virt-aa-helper
-  audit deny /sbin/apparmor_parser rwxl,
-  audit deny /etc/apparmor.d/libvirt/** wxl,
-  audit deny /sys/kernel/security/apparmor/features rwxl,
-  audit deny /sys/kernel/security/apparmor/matching rwxl,
-  audit deny /sys/kernel/security/apparmor/.* rwxl,
-  /sys/kernel/security/apparmor/profiles r,
-  /usr/lib/libvirt/* PUxr,
-  /etc/libvirt/hooks/** rmix,
-  /etc/xen/scripts/** rmix,
-
-  # allow changing to our UUID-based named profiles
-  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
-
-}