Comment # 13 on bug 1058847 from 
Can you please send v3? ;-)

+  ptrace (tace) peer=(label= {profile_name}),

should be 

+  ptrace (trace) peer=@{profile_name},

That's "trace" instead of "tace", you'll need an @ to prefix variables, and
ptrace rules don't accept the "peer=(label=...)" syntax ;-)

That said - what's the intention of this rule? IMHO the other two should be
enough. (See also Jamie's mail
https://www.redhat.com/archives/libvir-list/2017-September/msg00841.html - but
he also missed the @ for the variable)


I also wonder about

type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=8342
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"

Your added rules don't cover this, so you'll probably need another rule 
    ptrace trace peer=libvirt-*,
(or a more detailed AARE if you prefer to keep it more restrictive)


Also, it looks like you need to add
  /etc/libnl/classid r,
to the virt-aa-helper profile.

You are receiving this mail because: