Comment 8 for bug 1989073

This will construct a profile based on the template used by libvirt to test this outside of other elements (using qmeu just booting a kernel image, not more):

$ sudo cp /etc/apparmor.d/libvirt/libvirt-<one that you have> /etc/apparmor.d/test
$ cat /etc/apparmor.d/abstractions/libvirt-qemu | sudo tee -a /etc/apparmor.d/test
$ sudo vim /etc/apparmor.d/test
  Change header to:
profile test flags=(attach_disconnected) {
  #include <abstractions/base>
...
$ echo "/boot/vmlinuz* r," | sudo tee -a /etc/apparmor.d/test
/boot/vmlinuz* r,
$ echo "}" | sudo tee -a /etc/apparmor.d/test
$ sudo systemctl reload apparmor

We can run qemu now directly in that profile and see the problem:

$ sudo aa-exec -p test -- /usr/bin/qemu-system-x86_64 -machine pc-i440fx-kinetic -accel kvm -cpu host -kernel /boot/vmlinuz -nographic -curses

Triggers:
[ 6861.854970] audit: type=1400 audit(1668435695.650:190): apparmor="DENIED" operation="open" class="file" profile="test" name="/sys/devices/system/cpu/possible" pid=2104 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=0 ouid=0