Comment 2 for bug 1993304

Hi Jelle,
we have a while ago added a full set of rules which covered everything that USB devices needed.
In libvirt-qemu profile you should already have:

  # For hostdev access. The actual devices will be added dynamically
  /sys/bus/usb/devices/ r,
  /sys/devices/**/usb[0-9]*/** r,
  # libusb needs udev data about usb devices (~equal to content of lsusb -v)
  /run/udev/data/+usb* r,
  /run/udev/data/c16[6,7]* r,
  /run/udev/data/c18[0,8,9]* r,

This should already cover all, except the last denial which you reported on
  /sys/bus/usb/devices/1-0:1.0
But that should be a symlink (and apparmor rules have to list the target)

Here an example from my system:
$ ll /sys/bus/usb/devices/1-0\:1.0
lrwxrwxrwx 1 root root 0 Okt 18 10:21 /sys/bus/usb/devices/1-0:1.0 -> ../../../devices/pci0000:00/0000:00:14.0/usb1/1-0:1.0/
$ readlink -f /sys/bus/usb/devices/1-0:1.0
/sys/devices/pci0000:00/0000:00:14.0/usb1/1-0:1.0

So that would also be covered.
And these rules landed in 2010 / 2014 so they should be present for you.

We need to find why you are not benefiting from those existing rules and why you do not have the sysfs layout others see.

Let me ask:
- which Ubuntu release are you using?
- which kernel are you using?
- how does your /etc/apparmor.d/abstractions/libvirt-qemu look like as it comes from the package

Note: if your release is recent and has #include <local/abstractions/libvirt-qemu> in /etc/apparmor.d/abstractions/libvirt-qemu then please edit /etc/apparmor.d/local/abstractions/libvirt-qemu which will survive package upgrades