I hit this issue today when trying `terraform-provider-libvirt`. So I spent some time debugging it. Below are my findings.
1. Dir-based pools are affected. I didn't tried with default one as I created custom storage pool in terraform (`/srv/libvirt/images`). Then I was able to catch `/etc/apparmor.d/libvirt/libvirt-XXXX*` files and check their contents. There was no `/srv/libvirt/images` path so it's definitely was not added there.
2. Then I found `/**.qcow{,2} r,` in the `/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper` file. So my image should be allowed by this rule. But I was still unable to create VM. I tried to add my path here without any success though.
3. Next thing to try was `/etc/apparmor.d/libvirt/TEMPLATE.qemu`. I added my pool path there AAAAND it works after. So this is what I have in TEMPLATE.qemu file now:
```
#
# This profile is for the domain whose UUID matches this file.
#
#include <tunables/global>
profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
#include <abstractions/libvirt-qemu>
# Allow access to custom storage pool
"/srv/libvirt/images/" r,
"/srv/libvirt/images/**" rwk,
}
```
Now those paths appears in libvirt/libvirt-XXXX file and access is finally allowed.
Please let me know if there is better way to do this.
I hit this issue today when trying `terraform- provider- libvirt` . So I spent some time debugging it. Below are my findings.
1. Dir-based pools are affected. I didn't tried with default one as I created custom storage pool in terraform (`/srv/ libvirt/ images` ). Then I was able to catch `/etc/apparmor. d/libvirt/ libvirt- XXXX*` files and check their contents. There was no `/srv/libvirt/ images` path so it's definitely was not added there.
2. Then I found `/**.qcow{,2} r,` in the `/etc/apparmor. d/usr.lib. libvirt. virt-aa- helper` file. So my image should be allowed by this rule. But I was still unable to create VM. I tried to add my path here without any success though.
3. Next thing to try was `/etc/apparmor. d/libvirt/ TEMPLATE. qemu`. I added my pool path there AAAAND it works after. So this is what I have in TEMPLATE.qemu file now:
```
#
# This profile is for the domain whose UUID matches this file.
#
#include <tunables/global>
profile LIBVIRT_TEMPLATE flags=( attach_ disconnected) { libvirt- qemu> libvirt/ images/ " r, libvirt/ images/ **" rwk,
#include <abstractions/
# Allow access to custom storage pool
"/srv/
"/srv/
}
```
Now those paths appears in libvirt/ libvirt- XXXX file and access is finally allowed.
Please let me know if there is better way to do this.