apparmor: allow libvirt to send term signal to unconfined

Otherwise stopping domains with qemu://session fails like

[164012.338157] audit: type=1400 audit(1516202208.784:99): apparmor="DENIED" operation="signal" profile="/usr/sbin/libvirtd" pid=18835 comm="libvirtd" requested_mask="send" denied_mask="send" signal=term peer="unconfined"

diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index 0ddec3f6e2b7249374733a9d592598be36473ee3..be4fabf90596dfd65e21a77c3b93994ff743719d 100644 (file)
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -63,7 +63,7 @@
 
   signal (send) peer=/usr/sbin/dnsmasq,
   signal (read, send) peer=libvirt-*,
-  signal (send) set=("kill") peer=unconfined,
+  signal (send) set=("kill", "term") peer=unconfined,
 
   # Very lenient profile for libvirtd since we want to first focus on confining
   # the guests. Guests will have a very restricted profile.