Indeed the read to /etc/libvirt/libvirt.conf is from the call to virDomainDiskTranslateSourcePool as I have assumed above.
[ 628.266012] audit: type=1400 audit(1590487555.258:74): apparmor="DENIED" operation="open" profile="virt-aa-helper" name="/etc/libvirt/libvirt.conf" pid=3683 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 But in the long run we can't rely on either libvirt.conf nor anything else - as there are many places that can define the connection URL. Like ENV overrides and such, there might even be multiple libvirts running, so we can't just trial&error through the usual paths. But for now on these experiments I'll allow that access. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677398 Title: Apparmor prevents using storage pools and hostdev networks To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1677398/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs