Comment 2 for bug 1466911

Interesting. The needed path is actually provided by /etc/apparmor.d/abstractions/libvirt-qemu, but virt-aa-helper sees the loader and proceeds to try to add the path. Because the path a restricted one (under /usr/share), it is automatically rejected.

A workaround is to copy the bios to another path, i.e. /opt/bios.bin, and specify that path.

Marking this low priority because of the workaround, however this really ought to be fixed upstream.

I'm not sure what a proper fix would be. Perhaps vah_add_path() should simply first check whether the policy specified this far already allows the path.