Not following symlinks is part of the apparmor security philosophy since its beginnings. Aliases can be used instead, e.g. in /etc/apparmor.d/tunables/alias. But I doubt that you can alias the apparmor profile directory itself.
Do you intend to once create a VM and keep it for the lifetime of your systems or does your usecase include creating VMs again and again? apparmor_parser can be used to load apparmor profiles dynamically. I wonder why libvirt is not using dynamic loading instead of writing files in /etc/apparmor.d. Maybe worth a discussion with the upstream project. If bind mounting your new profile directory works for you, I guess there is nothing to fix in Ubuntu. Just propose an update to https://wiki.debian.org/ReadonlyRoot to describe what is needed for libvirt. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2142924 Title: Cannot load AppArmor profile with ReadonlyRoot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2142924/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
