apparmor: allow reading cap_last_cap

libcap-ng >= 0.7.4 fails when it can't read /sys/kernel/cap_last_cap
and thus running a qemu guest fails.

Allow reading cap_last_cap in the libvirt-qemu apparmor abstraction.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 83814ecf565c97ff1588828d75a9051deb527d9e..c6de6dd77cf00efa19510c68783e892401a5301a 100644 (file)
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -1,4 +1,4 @@
-# Last Modified: Fri Mar 9 14:43:22 2012
+# Last Modified: Wed Sep 3 21:52:03 2014
 
   #include <abstractions/base>
   #include <abstractions/consoles>
@@ -21,6 +21,7 @@
   /dev/ptmx rw,
   /dev/kqemu rw,
   @{PROC}/*/status r,
+  @{PROC}/sys/kernel/cap_last_cap r,
 
   # For hostdev access. The actual devices will be added dynamically
   /sys/bus/usb/devices/ r,