Fix apparmor issues for Xen
In order for apparmor to work properly in Xen environments, the following
access rights need to be allowed:
- Allow CAP_SYS_PACCT, which is required when resetting some multi-port
Broadcom cards by writting to the PCI config space
- Allow CAP_IPC_LOCK, which is required to lock/unlock memory. Without
this setting, an error 'Resource temporarily unavailable' can be seen
while attempting to mmap memory. At the same time, the following
apparmor message is seen:
apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/libvirtd"
pid=2097 comm="libvirtd" pid=2097 comm="libvirtd" capability=14
capname="ipc_lock"
- Allow access to distribution specific directories:
/usr/{lib,lib64}/xen/bin