libvirt-qemu

# Last Modified: Wed Sep 3 21:52:03 2014

  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>

  # required for reading disk images
  capability dac_override,
  capability dac_read_search,
  capability chown,

  # needed to drop privileges
  capability setgid,
  capability setuid,

  network inet stream,
  network inet6 stream,

  /dev/net/tun rw,
  /dev/kvm rw,
  /dev/ptmx rw,
  /dev/kqemu rw,
  @{PROC}/*/status r,
  # Per man(5) proc, the kernel enforces that a thread may
  # only modify its comm value or those in its thread group.
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  @{PROC}/sys/kernel/cap_last_cap r,

  # For hostdev access. The actual devices will be added dynamically
  /sys/bus/usb/devices/ r,
  /sys/devices/**/usb[0-9]*/** r,

  # WARNING: this gives the guest direct access to host hardware and specific
  # portions of shared memory. This is required for sound using ALSA with kvm,
  # but may constitute a security risk. If your environment does not require
  # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
  # the rules for files in /dev.
  /{dev,run}/shm r,
  /{dev,run}/shmpulse-shm* r,
  /{dev,run}/shmpulse-shm* rwk,
  /dev/snd/* rw,
  capability ipc_lock,
  # spice
  owner /{dev,run}/shm/spice.* rw,
  # 'kill' is not required for sound and is a security risk. Do not enable
  # unless you absolutely need it.
  deny capability kill,

  # Uncomment the following if you need access to /dev/fb*
  #/dev/fb* rw,

  /etc/pulse/client.conf r,
  @{HOME}/.pulse-cookie rwk,
  owner /root/.pulse-cookie rwk,
  owner /root/.pulse/ rw,
  owner /root/.pulse/* rw,
  /usr/share/alsa/** r,
  owner /tmp/pulse-*/ rw,
  owner /tmp/pulse-*/* rw,
  /var/lib/dbus/machine-id r,

  # access to firmware's etc
  /usr/share/kvm/** r,
  /usr/share/qemu/** r,
  /usr/share/qemu-kvm/** r,
  /usr/share/bochs/** r,
  /usr/share/openbios/** r,
  /usr/share/openhackware/** r,
  /usr/share/proll/** r,
  /usr/share/vgabios/** r,
  /usr/share/seabios/** r,
  /usr/share/ovmf/** r,

  # access PKI infrastructure
  /etc/pki/libvirt-vnc/** r,

  # the various binaries
  /usr/bin/kvm rmix,
  /usr/bin/qemu rmix,
  /usr/bin/qemu-kvm rmix,
  /usr/bin/qemu-system-aarch64 rmix,
  /usr/bin/qemu-system-alpha rmix,
  /usr/bin/qemu-system-arm rmix,
  /usr/bin/qemu-system-cris rmix,
  /usr/bin/qemu-system-i386 rmix,
  /usr/bin/qemu-system-lm32 rmix,
  /usr/bin/qemu-system-m68k rmix,
  /usr/bin/qemu-system-microblaze rmix,
  /usr/bin/qemu-system-microblazeel rmix,
  /usr/bin/qemu-system-mips rmix,
  /usr/bin/qemu-system-mips64 rmix,
  /usr/bin/qemu-system-mips64el rmix,
  /usr/bin/qemu-system-mipsel rmix,
  /usr/bin/qemu-system-moxie rmix,
  /usr/bin/qemu-system-or32 rmix,
  /usr/bin/qemu-system-ppc rmix,
  /usr/bin/qemu-system-ppc64 rmix,
  /usr/bin/qemu-system-ppcemb rmix,
  /usr/bin/qemu-system-s390x rmix,
  /usr/bin/qemu-system-sh4 rmix,
  /usr/bin/qemu-system-sh4eb rmix,
  /usr/bin/qemu-system-sparc rmix,
  /usr/bin/qemu-system-sparc64 rmix,
  /usr/bin/qemu-system-tricore rmix,
  /usr/bin/qemu-system-unicore32 rmix,
  /usr/bin/qemu-system-x86_64 rmix,
  /usr/bin/qemu-system-xtensa rmix,
  /usr/bin/qemu-system-xtensaeb rmix,
  /usr/bin/qemu-aarch64 rmix,
  /usr/bin/qemu-alpha rmix,
  /usr/bin/qemu-arm rmix,
  /usr/bin/qemu-armeb rmix,
  /usr/bin/qemu-cris rmix,
  /usr/bin/qemu-i386 rmix,
  /usr/bin/qemu-m68k rmix,
  /usr/bin/qemu-microblaze rmix,
  /usr/bin/qemu-microblazeel rmix,
  /usr/bin/qemu-mips rmix,
  /usr/bin/qemu-mips64 rmix,
  /usr/bin/qemu-mips64el rmix,
  /usr/bin/qemu-mipsel rmix,
  /usr/bin/qemu-mipsn32 rmix,
  /usr/bin/qemu-mipsn32el rmix,
  /usr/bin/qemu-nbd rmix,
  /usr/bin/qemu-or32 rmix,
  /usr/bin/qemu-ppc rmix,
  /usr/bin/qemu-ppc64 rmix,
  /usr/bin/qemu-ppc64abi32 rmix,
  /usr/bin/qemu-ppc64le rmix,
  /usr/bin/qemu-s390x rmix,
  /usr/bin/qemu-sh4 rmix,
  /usr/bin/qemu-sh4eb rmix,
  /usr/bin/qemu-sparc rmix,
  /usr/bin/qemu-sparc32plus rmix,
  /usr/bin/qemu-sparc64 rmix,
  /usr/bin/qemu-unicore32 rmix,
  /usr/bin/qemu-x86_64 rmix,
  /usr/{lib,lib64}/qemu/block-curl.so mr,
  /usr/{lib,lib64}/qemu/block-rbd.so mr,

  # for save and resume
  /{usr/,}bin/dash rmix,
  /{usr/,}bin/dd rmix,
  /{usr/,}bin/cat rmix,

  # for restore
  /{usr/,}bin/bash rmix,

  # for usb access
  /dev/bus/usb/ r,
  /etc/udev/udev.conf r,
  /sys/bus/ r,
  /sys/class/ r,