Fix various denial errors

etc/apparmor.d/abstractions/init-systemd

@@ -107,6 +107,8 @@
   owner @{sys_pci}/sas_port/*/num_phys r,
   owner @{sys_pci}/block/sda/dev r,
   owner @{sys_pci}/block/sda/sda[0-9]*/{partition,start} r,
+  owner @{sys_pci}/virtio[0-9]*/block/vda/{ro,removable,size,queue/rotational} r,
+  owner @{sys_pci}/virtio[0-9]*/block/vda/vda[0-9]*/{ro,size} r,
   @{sys_pci}/drm/**/{enabled,status} r,
   @{sys_pci}/sound/**/pcm_class r,
   @{sys_pci}/backlight/**/* rw,
@@ -121,7 +123,7 @@
   @{sys}/devices/system/node/{,node[0-9]*/meminfo} r,
   @{sys}/devices/system/cpu/{,present,online,cpu[0-9]*/cache/index2/size} r,
   owner @{sys}/devices/platform/rtc_cmos/rtc/rtc[0-9]*/hctosys r,
-  @{sys}/class/{,tty,input,drm,sound}/ r,
+  @{sys}/class/{,tty/,input/,drm/,sound/} r,
   owner @{sys}/class/{leds,power_supply,block}/ r,
   @{sys}/bus/{,pci/devices/} r,
   owner @{sys}/bus/usb/devices/ r,
@@ -241,6 +243,7 @@
   /{,var/}run/ r,
   /{,var/}run/** rw,
   /{,var/}run/shm/** rwl,
+  /run/utmp k,
   owner /{,var/}run/** rwk,
   owner /var/swapfile rw,
 

etc/apparmor.d/spice-vdagent

@@ -6,14 +6,26 @@
 profile spice-vdagent /{,usr/}bin/spice-vdagent flags=(attach_disconnected) {
   #include <abstractions/base>
 
+  ## Allow systemd to kill us.
+  signal receive set=(kill, cont, stop, term, hup) peer=init-systemd,
+  signal receive set=(kill, cont, stop, term) peer=systemd-shutdown,
+
   /{,usr/}bin/spice-vdagent mr,
 
   @{system_share_dirs}/drirc.d/{,*.conf} r,
   @{system_share_dirs}/themes/** r,
+  @{system_share_dirs}/alsa/{,pulse-}alsa.conf r,
+  @{system_share_dirs}/alsa/alsa.conf.d/{,*.conf} r,
+  /etc/alsa/conf.d/{,*.conf} r,
+  /etc/pulse/client.conf r,
+  /etc/pulse/client.conf.d/{,*.conf} r,
 
   owner @{HOME}/.Xauthority r,
   owner @{HOME}/.xsession-errors a,
 
+  /dev/snd/controlC[0-9] rw,
+  /dev/shm/ r,
+
   # Site-specific additions and overrides. See local/README for details.
   #include if exists <local/spice-vdagent>
 
@@ -22,6 +34,10 @@ profile spice-vdagent /{,usr/}bin/spice-vdagent flags=(attach_disconnected) {
 profile spice-vdagentd /{,usr/}sbin/spice-vdagentd flags=(attach_disconnected) {
   #include <abstractions/base>
 
+  ## Allow systemd to kill us.
+  signal receive set=(kill, cont, stop, term) peer=init-systemd,
+  signal receive set=(kill, cont, stop, term) peer=systemd-shutdown,
+
   /{,usr/}sbin/spice-vdagentd mr,
 
   @{PROC}/@{pid}/cgroup r,

etc/apparmor.d/usr.bin.dbus-daemon

@@ -11,30 +11,38 @@ profile dbus-daemon /{,usr/}bin/dbus-daemon flags=(attach_disconnected) {
 
   ptrace read,
 
+  ## Allow systemd to kill us.
+  signal receive set=(kill, cont, stop, term) peer=init-systemd,
+  signal receive set=(kill, cont, stop, term) peer=systemd-shutdown,
+
   /etc/group r,
   /etc/nsswitch.conf r,
   /etc/passwd r,
   /etc/xdg/xfce4/xfconf/xfce-perchannel-xml/*.xml r,
+  /etc/xdg/tumbler/tumbler.rc r,
 
   /{,usr/}bin/dbus-daemon mr,
   /usr/lib/mate-notification-daemon/mate-notification-daemon mrix,
   /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd mrix,
-  /usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd mrix,  
+  /usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd mrix,
+  /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mrix,
   /usr/lib/at-spi2-core/at-spi{-bus-launcher,2-registryd} mrix,
   /usr/lib/dconf/dconf-service mrix,
   /usr/bin/gnome-keyring-daemon mrix,
 
-  /{usr/share,etc}/dbus-1/** r,
+  /{@{system_share_dirs},etc}/dbus-1/** r,
   @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r,
   @{system_share_dirs}/defaults/at-spi2/accessibility.conf r,
   @{system_share_dirs}/desktop-base/profiles/xdg-config/xfce4/xfconf/xfce-perchannel-xml/*.xml{,.new} r,
+  @{system_share_dirs}/thumbnailers/{,*.thumbnailer} r,
 
   owner @{HOME}/.Xauthority r,
   owner @{HOME}/.config/dconf/user{,.*} rw,
   owner @{HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/*.xml{,.new} rw,
+  owner @{HOME}/.cache/gstreamer-1.0/registry.x86_64.bin{,.*} rw,
 
   @{PROC}/{filesystems,cmdline,@{pid}/cmdline} r,
-  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/{mounts,fd/} r,
   owner @{PROC}/@{pid}/oom_score_adj w,
 
   /run/systemd/{inhibit,sessions}/1.ref w,