# Last Modified: Wed Jul  8 09:57:41 2009

  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>

  # required for reading disk images
  capability dac_override,
  capability dac_read_search,
  capability chown,

  # this is needed with libcap-ng support, however it breaks a lot of things
  # atm, so just silence the denial until libcap-ng works right. LP: #522845
  deny capability setpcap,

  network inet stream,
  network inet6 stream,

  /dev/net/tun rw,
  /dev/kvm rw,
  /dev/ptmx rw,
  /dev/kqemu rw,
  @{PROC}/*/status r,

  # For hostdev access. The actual devices will be added dynamically
  /sys/bus/usb/devices/ r,
  /sys/bus/usb/devices/** r,
  /sys/devices/**/usb[0-9]*/** r,
  /dev/bus/usb/*/[0-9]* rw,

  # WARNING: this gives the guest direct access to host hardware and specific
  # portions of shared memory. This is required for sound using ALSA with kvm,
  # but may constitute a security risk. If your environment does not require
  # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
  # the rules for files in /dev.
  /dev/shm/ r,
  /dev/shm/pulse-shm* r,
  /dev/shm/pulse-shm* rwk,
  /dev/snd/* rw,
  capability ipc_lock,
  # 'kill' is not required for sound and is a security risk. Do not enable
  # unless you absolutely need it.
  deny capability kill,

  # Uncomment the following if you need access to /dev/fb*
  #/dev/fb* rw,

  /etc/pulse/client.conf r,
  @{HOME}/.pulse-cookie rwk,
  owner /root/.pulse-cookie rwk,
  owner /root/.pulse/ rw,
  owner /root/.pulse/* rw,
  /usr/share/alsa/** r,
  owner /tmp/pulse-*/ rw,
  owner /tmp/pulse-*/* rw,
  /var/lib/dbus/machine-id r,

  # access to firmware's etc
  /usr/share/kvm/** r,
  /usr/share/qemu/** r,
  /usr/share/bochs/** r,
  /usr/share/openbios/** r,
  /usr/share/openhackware/** r,
  /usr/share/proll/** r,
  /usr/share/vgabios/** r,
  /usr/share/seabios/** r,

  # access PKI infrastructure
  /etc/pki/libvirt-vnc/** r,

  # the various binaries
  /bin/sed rmix,
  /usr/bin/kvm rmix,
  /usr/bin/kvm-multicore rmix,
  /usr/bin/qemu rmix,
  /usr/bin/qemu-system-arm rmix,
  /usr/bin/qemu-system-cris rmix,
  /usr/bin/qemu-system-i386 rmix,
  /usr/bin/qemu-system-m68k rmix,
  /usr/bin/qemu-system-mips rmix,
  /usr/bin/qemu-system-mips64 rmix,
  /usr/bin/qemu-system-mips64el rmix,
  /usr/bin/qemu-system-mipsel rmix,
  /usr/bin/qemu-system-ppc rmix,
  /usr/bin/qemu-system-ppc64 rmix,
  /usr/bin/qemu-system-ppcemb rmix,
  /usr/bin/qemu-system-sh4 rmix,
  /usr/bin/qemu-system-sh4eb rmix,
  /usr/bin/qemu-system-sparc rmix,
  /usr/bin/qemu-system-sparc64 rmix,
  /usr/bin/qemu-system-x86_64 rmix,
  /usr/bin/qemu-alpha rmix,
  /usr/bin/qemu-arm rmix,
  /usr/bin/qemu-armeb rmix,
  /usr/bin/qemu-cris rmix,
  /usr/bin/qemu-i386 rmix,
  /usr/bin/qemu-m68k rmix,
  /usr/bin/qemu-mips rmix,
  /usr/bin/qemu-mipsel rmix,
  /usr/bin/qemu-ppc rmix,
  /usr/bin/qemu-ppc64 rmix,
  /usr/bin/qemu-ppc64abi32 rmix,
  /usr/bin/qemu-sh4 rmix,
  /usr/bin/qemu-sh4eb rmix,
  /usr/bin/qemu-sparc rmix,
  /usr/bin/qemu-sparc64 rmix,
  /usr/bin/qemu-sparc32plus rmix,
  /usr/bin/qemu-sparc64 rmix,
  /usr/bin/qemu-x86_64 rmix,

  # for save and resume
  /bin/dash rmix,
  /bin/dd rmix,
  /bin/cat rmix,

  # workaround https://launchpad.net/bugs/457716. The svirt driver does not
  # relabel the state file (https://bugzilla.redhat.com/show_bug.cgi?id=529363)
  # resulting in denied messages. The below works around this somewhat by
  # allowing users to save state files in their home directories. We use
  # 'owner' to make sure we don't overwrite the user's files. This will be
  # removed when the upstream bug is fixed.
  #include <abstractions/private-files-strict>
  owner @{HOME}/ r,
  owner @{HOME}/** rw,