Comment 13 for bug 1552241

It is interesting that it seems to do so only once.
So if a qemu process is started then
1. the first attach like:
    virsh attach-device artful-pidstat hot-add-usb.xml
   Triggers the denies:
2. but subsequent attach-device calls just fail without new denies

That explains to some extend why in some cases people don't see the deny.
It happened in the past but is cached.

It is also important to consider that when debugging as we will hit it only once.

The first step is to understand what/why qemu actually reads those.