File install-apparmor-profiles.patch of Package libvirt

Index: libvirt-0.9.11.4/examples/apparmor/Makefile.am
===================================================================
--- libvirt-0.9.11.4.orig/examples/apparmor/Makefile.am
+++ libvirt-0.9.11.4/examples/apparmor/Makefile.am
@@ -1,8 +1,39 @@
 ## Copyright (C) 2005-2011 Red Hat, Inc.
 ## See COPYING.LIB for the License of this software
 
-EXTRA_DIST=				\
-	TEMPLATE			\
-	libvirt-qemu			\
-	usr.lib.libvirt.virt-aa-helper	\
-	usr.sbin.libvirtd
+EXTRA_DIST=					\
+	TEMPLATE				\
+	libvirt-qemu				\
+	usr.lib.libvirt.virt-aa-helper.in	\
+	usr.sbin.libvirtd.in
+
+if WITH_SECDRIVER_APPARMOR
+
+usr.lib.libvirt.virt-aa-helper: usr.lib.libvirt.virt-aa-helper.in
+	sed                                     \
+	    -e 's![@]libdir[@]!$(libdir)!g'     \
+	    < $< > $@-t
+	mv $@-t $@
+
+usr.sbin.libvirtd: usr.sbin.libvirtd.in
+	sed                                     \
+	    -e 's![@]libdir[@]!$(libdir)!g'     \
+	    < $< > $@-t
+	mv $@-t $@
+
+install-data-local: usr.sbin.libvirtd usr.lib.libvirt.virt-aa-helper
+	mkdir -p $(DESTDIR)$(sysconfdir)/apparmor.d/
+	$(INSTALL_DATA) usr.lib.libvirt.virt-aa-helper $(DESTDIR)$(sysconfdir)/apparmor.d/usr.lib.libvirt.virt-aa-helper
+	$(INSTALL_DATA) usr.sbin.libvirtd $(DESTDIR)$(sysconfdir)/apparmor.d/usr.sbin.libvirtd
+	mkdir -p $(DESTDIR)$(sysconfdir)/apparmor.d/libvirt
+	$(INSTALL_DATA) TEMPLATE $(DESTDIR)$(sysconfdir)/apparmor.d/libvirt/TEMPLATE
+	mkdir -p $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions
+	$(INSTALL_DATA) libvirt-qemu $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/libvirt-qemu
+
+uninstall-local::
+	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/usr.lib.libvirt.virt-aa-helper
+	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/usr.sbin.libvirtd
+	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/libvirt-qemu
+	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/libvirt/TEMPLATE
+
+endif
Index: libvirt-0.9.11.4/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
===================================================================
--- /dev/null
+++ libvirt-0.9.11.4/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -0,0 +1,40 @@
+# Last Modified: Fri Aug 19 11:21:48 2011
+#include <tunables/global>
+
+@libdir@/libvirt/virt-aa-helper {
+  #include <abstractions/base>
+
+  # needed for searching directories
+  capability dac_override,
+  capability dac_read_search,
+
+  # needed for when disk is on a network filesystem
+  network inet,
+
+  deny @{PROC}/[0-9]*/mounts r,
+  @{PROC}/filesystems r,
+
+  # for hostdev
+  /sys/devices/ r,
+  /sys/devices/** r,
+
+  @libdir@/libvirt/virt-aa-helper mr,
+  /sbin/apparmor_parser Ux,
+
+  /etc/apparmor.d/libvirt/* r,
+  /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+
+  # for backingstore -- allow access to non-hidden files in @{HOME} as well
+  # as storage pools
+  audit deny @{HOME}/.* mrwkl,
+  audit deny @{HOME}/.*/ rw,
+  audit deny @{HOME}/.*/** mrwkl,
+  audit deny @{HOME}/bin/ rw,
+  audit deny @{HOME}/bin/** mrwkl,
+  @{HOME}/ r,
+  @{HOME}/** r,
+  /var/lib/libvirt/images/ r,
+  /var/lib/libvirt/images/** r,
+  /var/lib/kvm/images/ r,
+  /var/lib/kvm/images/** r,
+}
Index: libvirt-0.9.11.4/examples/apparmor/usr.lib.libvirt.virt-aa-helper
===================================================================
--- libvirt-0.9.11.4.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ /dev/null
@@ -1,38 +0,0 @@
-# Last Modified: Mon Apr  5 15:10:27 2010
-#include <tunables/global>
-
-/usr/lib/libvirt/virt-aa-helper {
-  #include <abstractions/base>
-
-  # needed for searching directories
-  capability dac_override,
-  capability dac_read_search,
-
-  # needed for when disk is on a network filesystem
-  network inet,
-
-  deny @{PROC}/[0-9]*/mounts r,
-  @{PROC}/filesystems r,
-
-  # for hostdev
-  /sys/devices/ r,
-  /sys/devices/** r,
-
-  /usr/lib/libvirt/virt-aa-helper mr,
-  /sbin/apparmor_parser Ux,
-
-  /etc/apparmor.d/libvirt/* r,
-  /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
-
-  # for backingstore -- allow access to non-hidden files in @{HOME} as well
-  # as storage pools
-  audit deny @{HOME}/.* mrwkl,
-  audit deny @{HOME}/.*/ rw,
-  audit deny @{HOME}/.*/** mrwkl,
-  audit deny @{HOME}/bin/ rw,
-  audit deny @{HOME}/bin/** mrwkl,
-  @{HOME}/ r,
-  @{HOME}/** r,
-  /var/lib/libvirt/images/ r,
-  /var/lib/libvirt/images/** r,
-}
Index: libvirt-0.9.11.4/examples/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-0.9.11.4.orig/examples/apparmor/usr.sbin.libvirtd
+++ /dev/null
@@ -1,52 +0,0 @@
-# Last Modified: Mon Apr  5 15:03:58 2010
-#include <tunables/global>
-@{LIBVIRT}="libvirt"
-
-/usr/sbin/libvirtd {
-  #include <abstractions/base>
-
-  capability kill,
-  capability net_admin,
-  capability net_raw,
-  capability setgid,
-  capability sys_admin,
-  capability sys_module,
-  capability sys_ptrace,
-  capability sys_nice,
-  capability sys_chroot,
-  capability setuid,
-  capability dac_override,
-  capability dac_read_search,
-  capability fowner,
-  capability chown,
-  capability setpcap,
-  capability mknod,
-  capability fsetid,
-
-  network inet stream,
-  network inet dgram,
-  network inet6 stream,
-  network inet6 dgram,
-
-  # Very lenient profile for libvirtd since we want to first focus on confining
-  # the guests. Guests will have a very restricted profile.
-  /** rwmkl,
-
-  /bin/* Ux,
-  /sbin/* Ux,
-  /usr/bin/* Ux,
-  /usr/sbin/* Ux,
-
-  # force the use of virt-aa-helper
-  audit deny /sbin/apparmor_parser rwxl,
-  audit deny /etc/apparmor.d/libvirt/** wxl,
-  audit deny /sys/kernel/security/apparmor/features rwxl,
-  audit deny /sys/kernel/security/apparmor/matching rwxl,
-  audit deny /sys/kernel/security/apparmor/.* rwxl,
-  /sys/kernel/security/apparmor/profiles r,
-  /usr/lib/libvirt/* PUxr,
-
-  # allow changing to our UUID-based named profiles
-  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
-
-}
Index: libvirt-0.9.11.4/examples/apparmor/usr.sbin.libvirtd.in
===================================================================
--- /dev/null
+++ libvirt-0.9.11.4/examples/apparmor/usr.sbin.libvirtd.in
@@ -0,0 +1,58 @@
+# Last Modified: Fri Aug 19 11:20:36 2011
+#include <tunables/global>
+@{LIBVIRT}="libvirt"
+
+/usr/sbin/libvirtd {
+  #include <abstractions/base>
+
+  capability kill,
+  capability net_admin,
+  capability net_raw,
+  capability setgid,
+  capability sys_admin,
+  capability sys_module,
+  capability sys_ptrace,
+  capability sys_nice,
+  capability sys_chroot,
+  capability setuid,
+  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability chown,
+  capability setpcap,
+  capability mknod,
+  capability fsetid,
+  capability ipc_lock,
+  capability audit_write,
+
+  network inet stream,
+  network inet dgram,
+  network inet6 stream,
+  network inet6 dgram,
+
+  # Very lenient profile for libvirtd since we want to first focus on confining
+  # the guests. Guests will have a very restricted profile.
+  /** rwmkl,
+
+  /bin/* Ux,
+  /sbin/* Ux,
+  /usr/bin/* Ux,
+  /usr/sbin/* Ux,
+  /usr/lib/xen/bin/qemu-dm Ux,
+  /usr/lib/PolicyKit/polkit-read-auth-helper Px,
+
+  # force the use of virt-aa-helper
+  audit deny /sbin/apparmor_parser rwxl,
+  audit deny /etc/apparmor.d/libvirt/** wxl,
+  audit deny /sys/kernel/security/apparmor/features rwxl,
+  audit deny /sys/kernel/security/apparmor/matching rwxl,
+  audit deny /sys/kernel/security/apparmor/.* rwxl,
+  /sys/kernel/security/apparmor/profiles r,
+  @libdir@/libvirt/* Pxr,
+  @libdir@/libvirt/libvirt_parthelper Ux,
+  @libdir@/libvirt/libvirt_iohelper Ux,
+
+  # allow changing to our UUID-based named profiles
+  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+
+}
Index: libvirt-0.9.11.4/examples/apparmor/libvirt-qemu
===================================================================
--- libvirt-0.9.11.4.orig/examples/apparmor/libvirt-qemu
+++ libvirt-0.9.11.4/examples/apparmor/libvirt-qemu
@@ -52,6 +52,7 @@
   # access to firmware's etc
   /usr/share/kvm/** r,
   /usr/share/qemu/** r,
+  /usr/share/qemu-kvm/** r,
   /usr/share/bochs/** r,
   /usr/share/openbios/** r,
   /usr/share/openhackware/** r,
@@ -65,6 +66,7 @@
   # the various binaries
   /usr/bin/kvm rmix,
   /usr/bin/qemu rmix,
+  /usr/bin/qemu-kvm rmix,
   /usr/bin/qemu-system-arm rmix,
   /usr/bin/qemu-system-cris rmix,
   /usr/bin/qemu-system-i386 rmix,