Comment # 7 on bug 1065123 from James Fehlig

(In reply to Christian Boltz from comment #6)
> Ah, that explains peer=unconfined - intrigeri already wondered why it's
> needed, so please add this detail when upstreaming this rule.

I don't think I'll be upstreaming the rule since security_default_confined
defaults to 1 upstream. The upstream rules are sufficient for the default
upstream configuration. Recall all the libvirt apparmor profiles are located
under the 'examples' directory. Downstreams are free to tweak those as they
desire.

WRT SUSE's default of 'security_default_confined = 0', I made confinement of
VMs opt-in from the beginning. To date, no one has complained about that, or
filed a fate request to change it.