Comment # 2 on bug 1065123 from Christian Boltz

(In reply to James Fehlig from comment #1)
> (In reply to Christian Boltz from comment #0)
> >   signal send set=hup peer=/usr/sbin/dnsmasq,
> >   signal send set=(term,kill) peer=unconfined,
> 
> These are the ones needed in SLE15. Note that Jamie suggested changing the
> signal rules to 
> 
>   signal (send) peer=/usr/sbin/dnsmasq,
>   signal (send) peer=libvirt-*,

Removing the set=... means to allow all signals, so this is fine.
The rule with peer=libvirt-* also makes sense.

The interesting question is if peer=unconfined (sending a signal to a program
running without AppArmor confinement) is needed - IIRC I've seen such an event
in my audit.log, but I'm not sure what it was. I'll re-test when the updated
profile enters Tumbleweed.

> > Also, several mount rules are needed - either as a generous "mount," rule
> > (as proposed by intrigeri as a quick fix to allow mounting everything), or
> > with the following detailed rules (which are more restrictive, but might
> > still need some adjustments)
...
> intrigeri included these rules in V3 of his series
> 
> https://www.redhat.com/archives/libvir-list/2017-November/msg00162.html

Yeah, he already joked that this is a real cross-distribution patchset:

    <intrigeri> it's nice to have a PR (libvirt upstream) prepared by a Debian 
                person, that integrates work coming from openSUSE, and reviewed 
                by an Ubuntu person :)
    <intrigeri> + chances are it's merged by a Red Hat person :)

> I think patch1 is fine and has essentially already been ACKed by Jamie. I'd
> prefer Jamie's feedback on patch2 as well, since I'm far from an apparmor
> expert.

The quick summary is that the detailed mount rules are more restrictive than
the general "mount," rule (which allows all mounting).

> Even though they are not yet committed upstream, I'll add these patches to
> the Factory libvirt package so libvirt will actually work with latest TW and
> SLE15.

Thanks!