Comment 4 for bug 891472

I can verify that the following rule does allow libvirtd to execute hooks:

  /etc/libvirt/hooks/** rmix,

Notes:

1) I actually modified /etc/apparmor.d/bin/usr.sbin.libvirtd to contain:

    # Site-specific additions and overrides. See local/README for details.
    #include <local/usr.sbin.libvirtd>

like other profiles, because I thought the profile should support local additions [a separate issue, I know]. Then, I added the hooks rule above in /etc/apparmor.d/bin/local/usr.sbin.libvirtd. But, really, the hooks rule should be part of the base libvirtd profile.

2) I used the '**' because I use generic daemon and qemu hook scripts that look for "sub-hooks" under /etc/libvirt/hooks/{daemon.d,qemu.d} named <event>-<seq#>-<description> and invoke them in <seq#> order for the current <event>. I did it this way so I could add and remove sub-hooks at will, keeping different features in separate scripts and not polluting the hooks directory namespace any more that I had to -- *.d.

Personally, I'd like to see any official update to the profile use the '**' format, so I don't need to patch that locally.

What's the possibility of back porting the fix to currently supported releases?