From: Stefan Bader <stefan.ba...@canonical.com> When using xen through libxl in Debian/Ubuntu it needs to be able to call pygrub.
This is placed in a versioned path like /usr/lib/xen-4.11/bin. In theory the rule could be more strict by rendering the libexec_dir setting pkg-config can derive from libbxen-dev. But that would make particular libvirt/xen packages version-depend on each other. It seems more reasonable to avoid these versioned dependencies and use a wildcard rule instead as it is already in place for libxl-save-helper. Note: This change was in Debian [1] and Ubuntu [2] for quite some time already. [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931768 [2]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1326003 Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- src/security/apparmor/usr.sbin.libvirtd.in | 1 + 1 file changed, 1 insertion(+) diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in index 1e137039e9..312fa4b6d1 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -86,6 +86,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, /usr/{lib,lib64}/xen/bin/* Ux, /usr/lib/xen-*/bin/libxl-save-helper PUx, + /usr/lib/xen-*/bin/pygrub PUx, /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to -- 2.27.0
