apparmor/utils/net.apparmor.pkexec.aa-notify.policy

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
  "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
  "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

  <action id="net.apparmor.pkexec.aa-notify.modify_profile">
    <description>AppArmor: modifying security profile</description>
    <message>To modify an AppArmor security profile, you need to authenticate.</message>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">{LIB_PATH}apparmor/update_profile.py</annotate>
    <annotate key="org.freedesktop.policykit.exec.argv1">add_rule</annotate>
  </action>
  <action id="net.apparmor.pkexec.aa-notify.create_userns">
    <description>AppArmor: adding userns profile</description>
    <message>To allow a program to use unprivileged user namespaces, you need to authenticate.</message>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">{LIB_PATH}apparmor/update_profile.py</annotate>
    <annotate key="org.freedesktop.policykit.exec.argv1">create_userns</annotate>
  </action>

</policyconfig>