Comment 16 for bug 1678322

I've verified that e.g. setting the profile to aa-complain to let the setprlimit through the issue is not fixed. So while it is an issue that this shows up as Denied it would not get the VF attachement working.

What "fixed" it in your case was adding the memtune options that raise the limits when qmeu is started.
Another alternative to get it working is to raise them via "sudo prlimit ..." dynamically as libvirt would do.

Both confirm that as I assumed we have to debug (or understand as I might be off here still) why virProcessSetMaxMemLock is not having te pid available to set the target limit via prlimit. There should be the root cause of this issue.
This will be the effort that is continued to be tracked in this bug.

I've forked off several of the issues in bugs of their own.
- bug 1679704 against apparmor for the blocking of setrlimit
- bug 1680384 against libvirt to add missing apparmor profile statements
- bug 1680386 against libvirt to add virt-aa-helper code for devspec
I'd ask you to reverse mirror them so you can track and work on them as needed.