libvirt cannot start guests under AppArmor with virtio disks passed through
I'm trying to launch a kvm domain with several passed-through disks:
<disk type="block" device="disk">
<driver name="qemu" type="raw" cache="none" io="native"/>
<source dev="/dev/disk/by-id/ata-HGST_HDN728080ALE604_1"/>
<backingStore/>
<target dev="vdb" bus="virtio"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x0a" function="0x0"/>
</disk>
Unfortunately the domain fails to start:
Jun 23 21:38:42 vm libvirtd[9695]: internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/libexec/virt-aa-helper -c -u libvirt-48265bc5-ffb8-499b-9c9f-26a2c25c5ce7) unexpected exit status 1: 2020-06-23 20:38:42.164+0000: 44320: info : libvirt version: 6.2.0
2020-06-23 20:38:42.164+0000: 44320: info : hostname: vm
2020-06-23 20:38:42.164+0000: 44320: error : virStorageFileBackendFileRead:129 : Failed to open file '/dev/disk/by-id/ata-HGST_HDN728080ALE604_4': Permission denied
2020-06-23 20:38:42.164+0000: 44320: error : virStorageFileBackendFileRead:129 : Failed to open file '/dev/disk/by-id/ata-HGST_HDN728080ALE604_3': Permission denied
2020-06-23 20:38:42.164+0000: 44320: error : virStorageFileBackendFileRead:129 : Failed to open file '/dev/disk/by-id/ata-HGST_HDN726040ALE614_1': Permission denied
2020-06-23 20:38:42.164+0000: 44320: error : virStorageFileBackendFileRead:129 : Failed to open file '/dev/disk/by-id/ata-HGST_HDN726040ALE614_2': Permission denied
virt-aa-helper: error: /usr/share/edk2-ovmf/OV
Jun 23 21:38:42 vm libvirtd[9695]: internal error: cannot load AppArmor profile 'libvirt-48265bc5-ffb8-499b-9c9f-26a2c25c5ce7'
This happens with libvirt 6.2.0.