Hi Christian, While looking at LP: #1546674 I ran into this bug as well. Your PPA package patches the usr.sbin.libvirtd profile but I think the right place to add the rule is in the abstraction/libvirt-qemu profile extract.
I added a similar but slightly more restrictive rule in the attached patch. With that patch in, I no longer get AA denials for /proc/$pid/task/*/comm. ** Patch added: "aa-libvirt-qemu.patch" https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1615550/+attachment/4767871/+files/aa-libvirt-qemu.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1615550 Title: STC860:Tuleta-L:KVM:iap01:Ubuntu 16.10 KVM logs apparmor="DENIED" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1615550/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs