(In reply to Christian Boltz from comment #13) > Can you please send v3? ;-) I sent it based on Jamie's feedback, before seeing this response :-/. > + ptrace (tace) peer=(label= {profile_name}), > > should be > > + ptrace (trace) peer=@{profile_name}, > > That's "trace" instead of "tace", you'll need an @ to prefix variables, and > ptrace rules don't accept the "peer=(label=...)" syntax ;-) I verified apparmor_parser actually succeeds this time. > That said - what's the intention of this rule? IMHO the other two should be > enough. (See also Jamie's mail > https://www.redhat.com/archives/libvir-list/2017-September/msg00841.html - > but he also missed the @ for the variable) This rule was a failed attempt to squelch the below denial > type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED" > operation="ptrace" profile="/usr/sbin/libvirtd" pid=8342 > comm="libvirtd" requested_mask="trace" denied_mask="trace" > peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff" > > Your added rules don't cover this, so you'll probably need another rule > ptrace trace peer=libvirt-*, Added in V3 https://www.redhat.com/archives/libvir-list/2017-September/msg00844.html > Also, it looks like you need to add > /etc/libnl/classid r, > to the virt-aa-helper profile. I'll send a separate patch for that one.