Comment 43 for bug 1677398

I hit this issue today when trying `terraform-provider-libvirt`. So I spent some time debugging it. Below are my findings.

1. Dir-based pools are affected. I didn't tried with default one as I created custom storage pool in terraform (`/srv/libvirt/images`). Then I was able to catch `/etc/apparmor.d/libvirt/libvirt-XXXX*` files and check their contents. There was no `/srv/libvirt/images` path so it's definitely was not added there.

2. Then I found `/**.qcow{,2} r,` in the `/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper` file. So my image should be allowed by this rule. But I was still unable to create VM. I tried to add my path here without any success though.

3. Next thing to try was `/etc/apparmor.d/libvirt/TEMPLATE.qemu`. I added my pool path there AAAAND it works after. So this is what I have in TEMPLATE.qemu file now:

```
#
# This profile is for the domain whose UUID matches this file.
#

#include <tunables/global>

profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
  #include <abstractions/libvirt-qemu>
  # Allow access to custom storage pool
  "/srv/libvirt/images/" r,
  "/srv/libvirt/images/**" rwk,
}
```

Now those paths appears in libvirt/libvirt-XXXX file and access is finally allowed.

Please let me know if there is better way to do this.