Thanks Simon, I found another one to trigger which is when failing to start a guest. I can't reproduce with a working guest, but still it is a way to trigger - although it doesn't seem reliably.
Still I have a system to verify on for myself reporting e.g. [85681.586318] audit: type=1400 audit(1476865131.741:189): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/nsswitch.conf" pid=8448 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [85681.586329] audit: type=1400 audit(1476865131.741:190): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/etc/host.conf" pid=8448 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 I much more like your approach. I'll prep something to test early next week (on a business trip the next days) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1546674 Title: virt-aa-helper Apparmor profile missing rules for name resolution To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs