Comment 1 for bug 1840552

Hi,
this is a dup to bug 1677398.

The TL;DR is that in some guest description libvirt doesn't know (at the right time and place) what the device will be. Due to that it can't render the per-guest apparmor rules correctly for this extra device.

In a similar fashion bug 1775777 had issues with late additions of vfio devices.

The solution for now is that an admin has to opt-in and allow e.g.
  /dev/vfio/* rw,

For all guests by setting that in
  /etc/apparmor.d/abstractions/libvirt-qemu (bionic)
or better as it isn't overwritten (conffile conflict) on upgrades
  /etc/apparmor.d/local/abstractions/libvirt-qemu (later versions)