For the record I've reproduced this. Interestingly, /dev/dm-2 *is* in the allowed list. Following is the syslog entry:
Jan 5 10:07:11 sergelap kernel: [ 5768.408495] type=1400 audit(1325779631.010:95): apparmor="DENIED" operation="open" parent=1606 profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/dm-2" pid=13978 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jan 5 10:07:11 sergelap kernel: [ 5768.682389] type=1400 audit(1325779631.286:96): apparmor="STATUS" operation="profile_load" name="libvirt-defba839-e7fc-1290-17b4-d0e8c1e68296" pid=13985 comm="apparmor_parser" So it is virt-aa-helper's profile which needs to be updated, not that of the VMs. In particular: /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper ** Changed in: libvirt (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/912007 Title: Apparmor profile denies access to /dev/dm-* for guests using LVM partitions storage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/912007/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs