Comment 31 for bug 1677398

Indeed the read to /etc/libvirt/libvirt.conf is from the call to virDomainDiskTranslateSourcePool as I have assumed above.

[ 628.266012] audit: type=1400 audit(1590487555.258:74): apparmor="DENIED" operation="open" profile="virt-aa-helper" name="/etc/libvirt/libvirt.conf" pid=3683 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

But in the long run we can't rely on either libvirt.conf nor anything else - as there are many places that can define the connection URL. Like ENV overrides and such, there might even be multiple libvirts running, so we can't just trial&error through the usual paths.

But for now on these experiments I'll allow that access.