Comment # 9 on bug 1058847 from 
(In reply to Christian Boltz from comment #8)
> I hope this is really only a *temporary* fix - the rules you added are very
> broad and allow much more than needed.

Definitely temporary. The changes are based on latest RFC version of patches
from one of the Ubuntu devs. In the end, I'll replace it with whatever upstream
finds acceptable.

> (Feel free to forward this comment to
> the upstream mailinglist ;-)

I will, but assume some of the apparmor devs that lurk on the libvirt list will
have the same opinion :-).

> FYI: (u)mount, signal and pivot_root will be supported by kernel 4.14, and
> 4.15 will have unix and dbus rule support. Also, the plan (fate#323500) is
> to support them in Leap/SLE 15.

Do profile rules covering these checks need to be conditionalized based on
version? I.e., is it safe to have signal rules when not supported by the
kernel? I haven't noticed any problems with such rules on my kernel 4.13 TW
machine.

You are receiving this mail because: