Comment 11 for bug 1678322

on #1
profile for /usr/sbin/libvirtd
[ 2652.571679] audit: type=1400 audit(1491303691.531:23): apparmor="DENIED" operation="setrlimit" profile="/usr/sbin/libvirtd" pid=7587 comm="libvirtd" rlimit=memlock value=1610612736

It isn't really clear to me why/where Apparmor is blocking that access.
After a decent debugging session with the security Team it turned out that even if it would work it would not help. When allowed it changes global limits but not those of the qemu process - and thereby the failure of vfio allocation issues stays.

The setrlimit will change the global limit and not the one of the qemu.
It actually is a bug that it is blocked, but even when allowed it does not increase the limit of the target qemu. And by that fixing to allow that does not get us any further.
Never the less I created a spin-off bug 1679704 for that.