Comment 15 for bug 545426

Ancoron, this isn't a 'quick hack'. The /mnt, /media and /srv read permissions are for virt-aa-helper, not the virtual machines. virt-aa-helper is used by the libvirtd daemon to dynamically update the profiles for individual VM definitions, and uses the libvirt API extensively. While virt-aa-helper itself has an AppArmor profile, it is mostly just to make sure that it can't execute other programs or write to anywhere other than /etc/apparmor.d/libvirt. The profile needs to allow reading of ISOs and VM disk images (so it can check for backing store via the libvirt API), and so (limited) read access to the standard storage pool location, $HOME and removable media and filesystems is given. Not including /srv, /mnt and /media was an oversight. If an administrator saves files in other locations, he/she is expected to update the AppArmor profile accordingly.

For more on how the AppArmor security driver for libvirt works, please see /usr/share/doc/libvirt-bin/README.Debian.gz.