More apparmor profile details from manual testing: The following profiles where copied while the given volume: /mnt/quobyte-volume/abfa1002557ab2b21ec218a86487dd92/volume-4573bf40-c033-44d4-9231-8afd03e6286e.c0c1654e-ac4b-487f-8d1e-b29d59fa7ce2 had the following snapshot backing file: /mnt/quobyte-volume/abfa1002557ab2b21ec218a86487dd92/volume-4573bf40-c033-44d4-9231-8afd03e6286e VM is shutdown and volume is attached: # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. "/var/log/libvirt/**/instance-0000000d.log" w, "/var/lib/libvirt/**/instance-0000000d.monitor" rw, "/var/run/libvirt/**/instance-0000000d.pid" rwk, "/run/libvirt/**/instance-0000000d.pid" rwk, "/var/run/libvirt/**/*.tunnelmigrate.dest.instance-0000000d" rw, "/run/libvirt/**/*.tunnelmigrate.dest.instance-0000000d" rw, "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/disk" rw, "/opt/stack/data/nova/instances/_base/2ea96822a43c04748331603dcfb7c24104d0c175" r, # don't audit writes to readonly files deny "/opt/stack/data/nova/instances/_base/2ea96822a43c04748331603dcfb7c24104d0c175" w, "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/disk.config" r, # don't audit writes to readonly files deny "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/disk.config" w, "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/console.log" rw, "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/console.log" rw, "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/kernel" r, # don't audit writes to readonly files deny "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/kernel" w, "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/ramdisk" r, # don't audit writes to readonly files deny "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/ramdisk" w, /dev/vhost-net rw, VM is started after volume has been attached while VM was shut down: # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. "/var/log/libvirt/**/instance-0000000d.log" w, "/var/lib/libvirt/**/instance-0000000d.monitor" rw, "/var/run/libvirt/**/instance-0000000d.pid" rwk, "/run/libvirt/**/instance-0000000d.pid" rwk, "/var/run/libvirt/**/*.tunnelmigrate.dest.instance-0000000d" rw, "/run/libvirt/**/*.tunnelmigrate.dest.instance-0000000d" rw, "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/disk" rw, "/opt/stack/data/nova/instances/_base/2ea96822a43c04748331603dcfb7c24104d0c175" r, # don't audit writes to readonly files deny "/opt/stack/data/nova/instances/_base/2ea96822a43c04748331603dcfb7c24104d0c175" w, "/mnt/quobyte-volume/abfa1002557ab2b21ec218a86487dd92/volume-4573bf40-c033-44d4-9231-8afd03e6286e.c0c1654e-ac4b-487f-8d1e-b29d59fa7ce2" rw, "/mnt/quobyte-volume/abfa1002557ab2b21ec218a86487dd92/volume-4573bf40-c033-44d4-9231-8afd03e6286e" r, # don't audit writes to readonly files deny "/mnt/quobyte-volume/abfa1002557ab2b21ec218a86487dd92/volume-4573bf40-c033-44d4-9231-8afd03e6286e" w, "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/disk.config" r, # don't audit writes to readonly files deny "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/disk.config" w, "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/console.log" rw, "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/console.log" rw, "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/kernel" r, # don't audit writes to readonly files deny "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/kernel" w, "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/ramdisk" r, # don't audit writes to readonly files deny "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/ramdisk" w, /dev/vhost-net rw, Volume was removed while the VM is running: # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. "/var/log/libvirt/**/instance-0000000d.log" w, "/var/lib/libvirt/**/instance-0000000d.monitor" rw, "/var/run/libvirt/**/instance-0000000d.pid" rwk, "/run/libvirt/**/instance-0000000d.pid" rwk, "/var/run/libvirt/**/*.tunnelmigrate.dest.instance-0000000d" rw, "/run/libvirt/**/*.tunnelmigrate.dest.instance-0000000d" rw, "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/disk" rw, "/opt/stack/data/nova/instances/_base/2ea96822a43c04748331603dcfb7c24104d0c175" r, # don't audit writes to readonly files deny "/opt/stack/data/nova/instances/_base/2ea96822a43c04748331603dcfb7c24104d0c175" w, "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/disk.config" r, # don't audit writes to readonly files deny "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/disk.config" w, "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/console.log" rw, "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/console.log" rw, "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/kernel" r, # don't audit writes to readonly files deny "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/kernel" w, "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/ramdisk" r, # don't audit writes to readonly files deny "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/ramdisk" w, /dev/vhost-net rw, After (trying to) reattach the volume to the same running VM: # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. "/var/log/libvirt/**/instance-0000000d.log" w, "/var/lib/libvirt/**/instance-0000000d.monitor" rw, "/var/run/libvirt/**/instance-0000000d.pid" rwk, "/run/libvirt/**/instance-0000000d.pid" rwk, "/var/run/libvirt/**/*.tunnelmigrate.dest.instance-0000000d" rw, "/run/libvirt/**/*.tunnelmigrate.dest.instance-0000000d" rw, "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/disk" rw, "/opt/stack/data/nova/instances/_base/2ea96822a43c04748331603dcfb7c24104d0c175" r, # don't audit writes to readonly files deny "/opt/stack/data/nova/instances/_base/2ea96822a43c04748331603dcfb7c24104d0c175" w, "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/disk.config" r, # don't audit writes to readonly files deny "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/disk.config" w, "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/console.log" rw, "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/console.log" rw, "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/kernel" r, # don't audit writes to readonly files deny "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/kernel" w, "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/ramdisk" r, # don't audit writes to readonly files deny "/opt/stack/data/nova/instances/7641ded0-42f6-443e-b376-db1c9c738ed6/ramdisk" w, /dev/vhost-net rw, This is the libvirt log excerpt corresponding to the last reattach operation directly above: 2016-07-28 08:57:35.577+0000: 16633: debug : qemuSetupDiskPathAllow:60 : Process path /mnt/quobyte-volume/abfa1002557ab2b21ec218a86487dd92/volume-4573bf40-c033-44d4-9231-8afd03e6286e.c0c1654e-ac4b-487f-8d1e-b29d 59fa7ce2 for disk 2016-07-28 08:57:35.577+0000: 16633: debug : qemuSetupDiskPathAllow:60 : Process path /mnt/quobyte-volume/abfa1002557ab2b21ec218a86487dd92/volume-4573bf40-c033-44d4-9231-8afd03e6286e for disk 2016-07-28 08:57:35.577+0000: 16633: debug : virCommandRunAsync:2282 : About to run /usr/lib/libvirt/virt-aa-helper -p 0 -r -u libvirt-7641ded0-42f6-443e-b376-db1c9c738ed6 -f /mnt/quobyte-volume/abfa1002557ab2b2 1ec218a86487dd92/volume-4573bf40-c033-44d4-9231-8afd03e6286e.c0c1654e-ac4b-487f-8d1e-b29d59fa7ce2 2016-07-28 08:57:35.578+0000: 16633: debug : virCommandRunAsync:2285 : Command result 0, with PID 5435 2016-07-28 08:57:36.046+0000: 16633: debug : virCommandRun:2142 : Result status 0, stdout: '' stderr: '' 2016-07-28 08:57:36.046+0000: 16633: debug : qemuDomainPCIAddressGetNextSlot:2270 : PCI slot 0000:00:01 already in use 2016-07-28 08:57:36.046+0000: 16633: debug : qemuDomainPCIAddressGetNextSlot:2270 : PCI slot 0000:00:02 already in use 2016-07-28 08:57:36.046+0000: 16633: debug : qemuDomainPCIAddressGetNextSlot:2270 : PCI slot 0000:00:03 already in use 2016-07-28 08:57:36.046+0000: 16633: debug : qemuDomainPCIAddressGetNextSlot:2313 : Found free PCI slot 0000:00:04 2016-07-28 08:57:36.046+0000: 16633: debug : qemuDomainPCIAddressReserveAddr:2114 : Reserving PCI slot 0000:00:04.0 (multifunction='off') 2016-07-28 08:57:36.046+0000: 16633: debug : qemuDomainObjEnterMonitorInternal:1278 : Entering monitor (mon=0x7fc904179ca0 vm=0x7fc900004450 name=instance-0000000d) 2016-07-28 08:57:36.046+0000: 16633: debug : qemuMonitorAddDrive:3011 : mon=0x7fc904179ca0 drive=file=/mnt/quobyte-volume/abfa1002557ab2b21ec218a86487dd92/volume-4573bf40-c033-44d4-9231-8afd03e6286e.c0c1654e-ac4 b-487f-8d1e-b29d59fa7ce2,if=none,id=drive-virtio-disk1,format=qcow2,serial=4573bf40-c033-44d4-9231-8afd03e6286e,cache=none,aio=native 2016-07-28 08:57:36.046+0000: 16633: debug : qemuMonitorJSONAddDrive:3126 : drive_add command not found, trying HMP 2016-07-28 08:57:36.046+0000: 16633: debug : qemuMonitorJSONCommandWithFd:264 : Send command '{"execute":"human-monitor-command","arguments":{"command-line":"drive_add dummy file=/mnt/quobyte-volume/abfa1002557a b2b21ec218a86487dd92/volume-4573bf40-c033-44d4-9231-8afd03e6286e.c0c1654e-ac4b-487f-8d1e-b29d59fa7ce2,if=none,id=drive-virtio-disk1,format=qcow2,serial=4573bf40-c033-44d4-9231-8afd03e6286e,cache=none,aio=native" },"id":"libvirt-19"}' for write with FD -1 2016-07-28 08:57:36.046+0000: 16633: debug : qemuMonitorSend:959 : QEMU_MONITOR_SEND_MSG: mon=0x7fc904179ca0 msg={"execute":"human-monitor-command","arguments":{"command-line":"drive_add dummy file=/mnt/quobyte- volume/abfa1002557ab2b21ec218a86487dd92/volume-4573bf40-c033-44d4-9231-8afd03e6286e.c0c1654e-ac4b-487f-8d1e-b29d59fa7ce2,if=none,id=drive-virtio-disk1,format=qcow2,serial=4573bf40-c033-44d4-9231-8afd03e6286e,cac he=none,aio=native"},"id":"libvirt-19"} fd=-1 2016-07-28 08:57:36.047+0000: 16628: debug : qemuMonitorIOWrite:504 : QEMU_MONITOR_IO_WRITE: mon=0x7fc904179ca0 buf={"execute":"human-monitor-command","arguments":{"command-line":"drive_add dummy file=/mnt/quoby te-volume/abfa1002557ab2b21ec218a86487dd92/volume-4573bf40-c033-44d4-9231-8afd03e6286e.c0c1654e-ac4b-487f-8d1e-b29d59fa7ce2,if=none,id=drive-virtio-disk1,format=qcow2,serial=4573bf40-c033-44d4-9231-8afd03e6286e, cache=none,aio=native"},"id":"libvirt-19"} len=350 ret=350 errno=11 2016-07-28 08:57:36.066+0000: 16628: debug : qemuMonitorIOProcess:396 : QEMU_MONITOR_IO_PROCESS: mon=0x7fc904179ca0 buf={"return": "could not open disk image /mnt/quobyte-volume/abfa1002557ab2b21ec218a86487dd92/ volume-4573bf40-c033-44d4-9231-8afd03e6286e.c0c1654e-ac4b-487f-8d1e-b29d59fa7ce2: Could not open backing file: Could not open '/mnt/quobyte-volume/abfa1002557ab2b21ec218a86487dd92/volume-4573bf40-c033-44d4-9231- 8afd03e6286e': Permission denied\r\n", "id": "libvirt-19"} len=362 2016-07-28 08:57:36.073+0000: 16628: debug : qemuMonitorJSONIOProcessLine:157 : Line [{"return": "could not open disk image /mnt/quobyte-volume/abfa1002557ab2b21ec218a86487dd92/volume-4573bf40-c033-44d4-9231-8af d03e6286e.c0c1654e-ac4b-487f-8d1e-b29d59fa7ce2: Could not open backing file: Could not open '/mnt/quobyte-volume/abfa1002557ab2b21ec218a86487dd92/volume-4573bf40-c033-44d4-9231-8afd03e6286e': Permission denied\r \n", "id": "libvirt-19"}] 2016-07-28 08:57:36.073+0000: 16628: debug : qemuMonitorJSONIOProcessLine:177 : QEMU_MONITOR_RECV_REPLY: mon=0x7fc904179ca0 reply={"return": "could not open disk image /mnt/quobyte-volume/abfa1002557ab2b21ec218a 86487dd92/volume-4573bf40-c033-44d4-9231-8afd03e6286e.c0c1654e-ac4b-487f-8d1e-b29d59fa7ce2: Could not open backing file: Could not open '/mnt/quobyte-volume/abfa1002557ab2b21ec218a86487dd92/volume-4573bf40-c033- 44d4-9231-8afd03e6286e': Permission denied\r\n", "id": "libvirt-19"} 2016-07-28 08:57:36.074+0000: 16628: debug : qemuMonitorJSONIOProcess:226 : Total used 362 bytes out of 362 available in buffer 2016-07-28 08:57:36.074+0000: 16633: debug : qemuMonitorJSONCommandWithFd:269 : Receive command reply ret=0 rxObject=0x7fc91cc95270 2016-07-28 08:57:36.074+0000: 16633: error : qemuMonitorTextAddDrive:2611 : operation failed: open disk image file failed Please note there's no general file permission issue as in the other code paths there's no problem with accessing the volumes backing file.