Index: libvirt-1.1.2/examples/apparmor/Makefile.am
===================================================================
--- libvirt-1.1.2.orig/examples/apparmor/Makefile.am
+++ libvirt-1.1.2/examples/apparmor/Makefile.am
@@ -14,8 +14,45 @@
 ## License along with this library.  If not, see
 ## <http://www.gnu.org/licenses/>.
 
-EXTRA_DIST=				\
-	TEMPLATE			\
-	libvirt-qemu			\
-	usr.lib.libvirt.virt-aa-helper	\
-	usr.sbin.libvirtd
+EXTRA_DIST=					\
+	TEMPLATE				\
+	libvirt-qemu.in				\
+	usr.lib.libvirt.virt-aa-helper.in	\
+	usr.sbin.libvirtd.in
+
+if WITH_SECDRIVER_APPARMOR
+
+libvirt-qemu: libvirt-qemu.in
+	sed                                     \
+	    -e 's![@]libdir[@]!$(libdir)!g'     \
+	    < $< > $@-t
+	mv $@-t $@
+
+usr.lib.libvirt.virt-aa-helper: usr.lib.libvirt.virt-aa-helper.in
+	sed                                     \
+	    -e 's![@]libdir[@]!$(libdir)!g'     \
+	    < $< > $@-t
+	mv $@-t $@
+
+usr.sbin.libvirtd: usr.sbin.libvirtd.in
+	sed                                     \
+	    -e 's![@]libdir[@]!$(libdir)!g'     \
+	    < $< > $@-t
+	mv $@-t $@
+
+install-data-local: libvirt-qemu usr.sbin.libvirtd usr.lib.libvirt.virt-aa-helper
+	mkdir -p $(DESTDIR)$(sysconfdir)/apparmor.d/
+	$(INSTALL_DATA) usr.lib.libvirt.virt-aa-helper $(DESTDIR)$(sysconfdir)/apparmor.d/usr.lib.libvirt.virt-aa-helper
+	$(INSTALL_DATA) usr.sbin.libvirtd $(DESTDIR)$(sysconfdir)/apparmor.d/usr.sbin.libvirtd
+	mkdir -p $(DESTDIR)$(sysconfdir)/apparmor.d/libvirt
+	$(INSTALL_DATA) TEMPLATE $(DESTDIR)$(sysconfdir)/apparmor.d/libvirt/TEMPLATE
+	mkdir -p $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions
+	$(INSTALL_DATA) libvirt-qemu $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/libvirt-qemu
+
+uninstall-local::
+	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/usr.lib.libvirt.virt-aa-helper
+	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/usr.sbin.libvirtd
+	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/libvirt-qemu
+	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/libvirt/TEMPLATE
+
+endif
Index: libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
===================================================================
--- /dev/null
+++ libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -0,0 +1,41 @@
+# Last Modified: Fri Aug 19 11:21:48 2011
+#include <tunables/global>
+
+@libdir@/libvirt/virt-aa-helper {
+  #include <abstractions/base>
+
+  # needed for searching directories
+  capability dac_override,
+  capability dac_read_search,
+
+  # needed for when disk is on a network filesystem
+  network inet,
+
+  @{PROC}/[0-9]** r,
+  deny @{PROC}/[0-9]*/mounts r,
+  @{PROC}/filesystems r,
+
+  # for hostdev
+  /sys/devices/ r,
+  /sys/devices/** r,
+
+  @libdir@/libvirt/virt-aa-helper mr,
+  /sbin/apparmor_parser Ux,
+
+  /etc/apparmor.d/libvirt/* r,
+  /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+
+  # for backingstore -- allow access to non-hidden files in @{HOME} as well
+  # as storage pools
+  audit deny @{HOME}/.* mrwkl,
+  audit deny @{HOME}/.*/ rw,
+  audit deny @{HOME}/.*/** mrwkl,
+  audit deny @{HOME}/bin/ rw,
+  audit deny @{HOME}/bin/** mrwkl,
+  @{HOME}/ r,
+  @{HOME}/** r,
+  /var/lib/libvirt/images/ r,
+  /var/lib/libvirt/images/** r,
+  /var/lib/kvm/images/ r,
+  /var/lib/kvm/images/** r,
+}
Index: libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper
===================================================================
--- libvirt-1.1.2.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ /dev/null
@@ -1,38 +0,0 @@
-# Last Modified: Mon Apr  5 15:10:27 2010
-#include <tunables/global>
-
-/usr/lib/libvirt/virt-aa-helper {
-  #include <abstractions/base>
-
-  # needed for searching directories
-  capability dac_override,
-  capability dac_read_search,
-
-  # needed for when disk is on a network filesystem
-  network inet,
-
-  deny @{PROC}/[0-9]*/mounts r,
-  @{PROC}/filesystems r,
-
-  # for hostdev
-  /sys/devices/ r,
-  /sys/devices/** r,
-
-  /usr/lib/libvirt/virt-aa-helper mr,
-  /sbin/apparmor_parser Ux,
-
-  /etc/apparmor.d/libvirt/* r,
-  /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
-
-  # for backingstore -- allow access to non-hidden files in @{HOME} as well
-  # as storage pools
-  audit deny @{HOME}/.* mrwkl,
-  audit deny @{HOME}/.*/ rw,
-  audit deny @{HOME}/.*/** mrwkl,
-  audit deny @{HOME}/bin/ rw,
-  audit deny @{HOME}/bin/** mrwkl,
-  @{HOME}/ r,
-  @{HOME}/** r,
-  /var/lib/libvirt/images/ r,
-  /var/lib/libvirt/images/** r,
-}
Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-1.1.2.orig/examples/apparmor/usr.sbin.libvirtd
+++ /dev/null
@@ -1,52 +0,0 @@
-# Last Modified: Mon Apr  5 15:03:58 2010
-#include <tunables/global>
-@{LIBVIRT}="libvirt"
-
-/usr/sbin/libvirtd {
-  #include <abstractions/base>
-
-  capability kill,
-  capability net_admin,
-  capability net_raw,
-  capability setgid,
-  capability sys_admin,
-  capability sys_module,
-  capability sys_ptrace,
-  capability sys_nice,
-  capability sys_chroot,
-  capability setuid,
-  capability dac_override,
-  capability dac_read_search,
-  capability fowner,
-  capability chown,
-  capability setpcap,
-  capability mknod,
-  capability fsetid,
-
-  network inet stream,
-  network inet dgram,
-  network inet6 stream,
-  network inet6 dgram,
-
-  # Very lenient profile for libvirtd since we want to first focus on confining
-  # the guests. Guests will have a very restricted profile.
-  /** rwmkl,
-
-  /bin/* Ux,
-  /sbin/* Ux,
-  /usr/bin/* Ux,
-  /usr/sbin/* Ux,
-
-  # force the use of virt-aa-helper
-  audit deny /sbin/apparmor_parser rwxl,
-  audit deny /etc/apparmor.d/libvirt/** wxl,
-  audit deny /sys/kernel/security/apparmor/features rwxl,
-  audit deny /sys/kernel/security/apparmor/matching rwxl,
-  audit deny /sys/kernel/security/apparmor/.* rwxl,
-  /sys/kernel/security/apparmor/profiles r,
-  /usr/lib/libvirt/* PUxr,
-
-  # allow changing to our UUID-based named profiles
-  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
-
-}
Index: libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in
===================================================================
--- /dev/null
+++ libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in
@@ -0,0 +1,60 @@
+# Last Modified: Fri Aug 19 11:20:36 2011
+#include <tunables/global>
+@{LIBVIRT}="libvirt"
+
+/usr/sbin/libvirtd {
+  #include <abstractions/base>
+
+  capability kill,
+  capability net_admin,
+  capability net_raw,
+  capability setgid,
+  capability sys_admin,
+  capability sys_module,
+  capability sys_ptrace,
+  capability sys_nice,
+  capability sys_chroot,
+  capability setuid,
+  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability chown,
+  capability setpcap,
+  capability mknod,
+  capability fsetid,
+  capability ipc_lock,
+
+  network inet stream,
+  network inet dgram,
+  network inet6 stream,
+  network inet6 dgram,
+  network packet dgram,
+
+  # Very lenient profile for libvirtd since we want to first focus on confining
+  # the guests. Guests will have a very restricted profile.
+  /** rwmkl,
+
+  /bin/* Ux,
+  /sbin/* Ux,
+  /usr/bin/* Ux,
+  /usr/sbin/* Ux,
+  /usr/lib/xen/bin/qemu-dm Ux,
+  /usr/lib/xen/bin/qemu-system-i386 Ux,
+  /usr/lib/PolicyKit/polkit-read-auth-helper Px,
+
+  # force the use of virt-aa-helper
+  audit deny /sbin/apparmor_parser rwxl,
+  audit deny /etc/apparmor.d/libvirt/** wxl,
+  audit deny /sys/kernel/security/apparmor/features rwxl,
+  audit deny /sys/kernel/security/apparmor/matching rwxl,
+  audit deny /sys/kernel/security/apparmor/.* rwxl,
+  /sys/kernel/security/apparmor/profiles r,
+  /etc/xen/scripts/* rx,
+  @libdir@/libvirt/* Pxr,
+  @libdir@/libvirt/libvirt_parthelper Ux,
+  @libdir@/libvirt/libvirt_iohelper Ux,
+
+  # allow changing to our UUID-based named profiles
+  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+
+}
Index: libvirt-1.1.2/examples/apparmor/libvirt-qemu
===================================================================
--- libvirt-1.1.2.orig/examples/apparmor/libvirt-qemu
+++ /dev/null
@@ -1,129 +0,0 @@
-# Last Modified: Fri Mar 9 14:43:22 2012
-
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
-
-  # required for reading disk images
-  capability dac_override,
-  capability dac_read_search,
-  capability chown,
-
-  network inet stream,
-  network inet6 stream,
-
-  /dev/net/tun rw,
-  /dev/kvm rw,
-  /dev/ptmx rw,
-  /dev/kqemu rw,
-  @{PROC}/*/status r,
-
-  # For hostdev access. The actual devices will be added dynamically
-  /sys/bus/usb/devices/ r,
-  /sys/devices/*/*/usb[0-9]*/** r,
-
-  # WARNING: this gives the guest direct access to host hardware and specific
-  # portions of shared memory. This is required for sound using ALSA with kvm,
-  # but may constitute a security risk. If your environment does not require
-  # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
-  # the rules for files in /dev.
-  /{dev,run}/shm r,
-  /{dev,run}/shmpulse-shm* r,
-  /{dev,run}/shmpulse-shm* rwk,
-  /dev/snd/* rw,
-  capability ipc_lock,
-  # 'kill' is not required for sound and is a security risk. Do not enable
-  # unless you absolutely need it.
-  deny capability kill,
-
-  # Uncomment the following if you need access to /dev/fb*
-  #/dev/fb* rw,
-
-  /etc/pulse/client.conf r,
-  @{HOME}/.pulse-cookie rwk,
-  owner /root/.pulse-cookie rwk,
-  owner /root/.pulse/ rw,
-  owner /root/.pulse/* rw,
-  /usr/share/alsa/** r,
-  owner /tmp/pulse-*/ rw,
-  owner /tmp/pulse-*/* rw,
-  /var/lib/dbus/machine-id r,
-
-  # access to firmware's etc
-  /usr/share/kvm/** r,
-  /usr/share/qemu/** r,
-  /usr/share/bochs/** r,
-  /usr/share/openbios/** r,
-  /usr/share/openhackware/** r,
-  /usr/share/proll/** r,
-  /usr/share/vgabios/** r,
-  /usr/share/seabios/** r,
-
-  # access PKI infrastructure
-  /etc/pki/libvirt-vnc/** r,
-
-  # the various binaries
-  /usr/bin/kvm rmix,
-  /usr/bin/qemu rmix,
-  /usr/bin/qemu-system-arm rmix,
-  /usr/bin/qemu-system-cris rmix,
-  /usr/bin/qemu-system-i386 rmix,
-  /usr/bin/qemu-system-m68k rmix,
-  /usr/bin/qemu-system-microblaze rmix,
-  /usr/bin/qemu-system-microblazeel rmix,
-  /usr/bin/qemu-system-mips rmix,
-  /usr/bin/qemu-system-mips64 rmix,
-  /usr/bin/qemu-system-mips64el rmix,
-  /usr/bin/qemu-system-mipsel rmix,
-  /usr/bin/qemu-system-ppc rmix,
-  /usr/bin/qemu-system-ppc64 rmix,
-  /usr/bin/qemu-system-ppcemb rmix,
-  /usr/bin/qemu-system-sh4 rmix,
-  /usr/bin/qemu-system-sh4eb rmix,
-  /usr/bin/qemu-system-sparc rmix,
-  /usr/bin/qemu-system-sparc64 rmix,
-  /usr/bin/qemu-system-x86_64 rmix,
-  /usr/bin/qemu-alpha rmix,
-  /usr/bin/qemu-arm rmix,
-  /usr/bin/qemu-armeb rmix,
-  /usr/bin/qemu-cris rmix,
-  /usr/bin/qemu-i386 rmix,
-  /usr/bin/qemu-m68k rmix,
-  /usr/bin/qemu-microblaze rmix,
-  /usr/bin/qemu-microblazeel rmix,
-  /usr/bin/qemu-mips rmix,
-  /usr/bin/qemu-mipsel rmix,
-  /usr/bin/qemu-ppc rmix,
-  /usr/bin/qemu-ppc64 rmix,
-  /usr/bin/qemu-ppc64abi32 rmix,
-  /usr/bin/qemu-sh4 rmix,
-  /usr/bin/qemu-sh4eb rmix,
-  /usr/bin/qemu-sparc rmix,
-  /usr/bin/qemu-sparc64 rmix,
-  /usr/bin/qemu-sparc32plus rmix,
-  /usr/bin/qemu-sparc64 rmix,
-  /usr/bin/qemu-x86_64 rmix,
-
-  # for save and resume
-  /bin/dash rmix,
-  /bin/dd rmix,
-  /bin/cat rmix,
-
-  /usr/libexec/qemu-bridge-helper Cx,
-  # child profile for bridge helper process
-  profile /usr/libexec/qemu-bridge-helper {
-   #include <abstractions/base>
-
-   capability setuid,
-   capability setgid,
-   capability setpcap,
-   capability net_admin,
-
-   network inet stream,
-
-   /dev/net/tun rw,
-   /etc/qemu/** r,
-   owner @{PROC}/*/status r,
-
-   /usr/libexec/qemu-bridge-helper rmix,
-  }
Index: libvirt-1.1.2/examples/apparmor/libvirt-qemu.in
===================================================================
--- /dev/null
+++ libvirt-1.1.2/examples/apparmor/libvirt-qemu.in
@@ -0,0 +1,132 @@
+# Last Modified: Fri Mar 9 14:43:22 2012
+
+  #include <abstractions/base>
+  #include <abstractions/consoles>
+  #include <abstractions/nameservice>
+
+  # required for reading disk images
+  capability dac_override,
+  capability dac_read_search,
+  capability chown,
+  capability setgid,
+
+  network inet stream,
+  network inet6 stream,
+
+  /dev/net/tun rw,
+  /dev/kvm rw,
+  /dev/ptmx rw,
+  /dev/kqemu rw,
+  @{PROC}/*/status r,
+
+  # For hostdev access. The actual devices will be added dynamically
+  /sys/bus/usb/devices/ r,
+  /sys/devices/*/*/usb[0-9]*/** r,
+
+  # WARNING: this gives the guest direct access to host hardware and specific
+  # portions of shared memory. This is required for sound using ALSA with kvm,
+  # but may constitute a security risk. If your environment does not require
+  # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
+  # the rules for files in /dev.
+  /{dev,run}/shm r,
+  /{dev,run}/shmpulse-shm* r,
+  /{dev,run}/shmpulse-shm* rwk,
+  /dev/snd/* rw,
+  capability ipc_lock,
+  # 'kill' is not required for sound and is a security risk. Do not enable
+  # unless you absolutely need it.
+  deny capability kill,
+
+  # Uncomment the following if you need access to /dev/fb*
+  #/dev/fb* rw,
+
+  /etc/pulse/client.conf r,
+  @{HOME}/.pulse-cookie rwk,
+  owner /root/.pulse-cookie rwk,
+  owner /root/.pulse/ rw,
+  owner /root/.pulse/* rw,
+  /usr/share/alsa/** r,
+  owner /tmp/pulse-*/ rw,
+  owner /tmp/pulse-*/* rw,
+  /var/lib/dbus/machine-id r,
+
+  # access to firmware's etc
+  /usr/share/kvm/** r,
+  /usr/share/qemu/** r,
+  /usr/share/qemu-kvm/** r,
+  /usr/share/bochs/** r,
+  /usr/share/openbios/** r,
+  /usr/share/openhackware/** r,
+  /usr/share/proll/** r,
+  /usr/share/vgabios/** r,
+  /usr/share/seabios/** r,
+
+  # access PKI infrastructure
+  /etc/pki/libvirt-vnc/** r,
+
+  # the various binaries
+  /usr/bin/kvm rmix,
+  /usr/bin/qemu rmix,
+  /usr/bin/qemu-kvm rmix,
+  /usr/bin/qemu-system-arm rmix,
+  /usr/bin/qemu-system-cris rmix,
+  /usr/bin/qemu-system-i386 rmix,
+  /usr/bin/qemu-system-m68k rmix,
+  /usr/bin/qemu-system-microblaze rmix,
+  /usr/bin/qemu-system-microblazeel rmix,
+  /usr/bin/qemu-system-mips rmix,
+  /usr/bin/qemu-system-mips64 rmix,
+  /usr/bin/qemu-system-mips64el rmix,
+  /usr/bin/qemu-system-mipsel rmix,
+  /usr/bin/qemu-system-ppc rmix,
+  /usr/bin/qemu-system-ppc64 rmix,
+  /usr/bin/qemu-system-ppcemb rmix,
+  /usr/bin/qemu-system-sh4 rmix,
+  /usr/bin/qemu-system-sh4eb rmix,
+  /usr/bin/qemu-system-sparc rmix,
+  /usr/bin/qemu-system-sparc64 rmix,
+  /usr/bin/qemu-system-x86_64 rmix,
+  /usr/bin/qemu-alpha rmix,
+  /usr/bin/qemu-arm rmix,
+  /usr/bin/qemu-armeb rmix,
+  /usr/bin/qemu-cris rmix,
+  /usr/bin/qemu-i386 rmix,
+  /usr/bin/qemu-m68k rmix,
+  /usr/bin/qemu-microblaze rmix,
+  /usr/bin/qemu-microblazeel rmix,
+  /usr/bin/qemu-mips rmix,
+  /usr/bin/qemu-mipsel rmix,
+  /usr/bin/qemu-ppc rmix,
+  /usr/bin/qemu-ppc64 rmix,
+  /usr/bin/qemu-ppc64abi32 rmix,
+  /usr/bin/qemu-sh4 rmix,
+  /usr/bin/qemu-sh4eb rmix,
+  /usr/bin/qemu-sparc rmix,
+  /usr/bin/qemu-sparc64 rmix,
+  /usr/bin/qemu-sparc32plus rmix,
+  /usr/bin/qemu-sparc64 rmix,
+  /usr/bin/qemu-x86_64 rmix,
+
+  # for save and resume
+  /bin/dash rmix,
+  /bin/dd rmix,
+  /bin/cat rmix,
+
+  @libdir@/qemu-bridge-helper Cx,
+  # child profile for bridge helper process
+  profile @libdir@/qemu-bridge-helper {
+   #include <abstractions/base>
+
+   capability setuid,
+   capability setgid,
+   capability setpcap,
+   capability net_admin,
+
+   network inet stream,
+
+   /dev/net/tun rw,
+   /etc/qemu/** r,
+   owner @{PROC}/*/status r,
+
+   @libdir@/qemu-bridge-helper rmix,
+  }