Interestingly, or perhaps not, merely running /etc/init.d/apparmor stop isn't enough. I stop AppArmor, restart Libvirt and then start my VMs. However upon starting a VM an AppArmor profile still gets loaded and thus AppArmor denies access to the USB device I want to pass through. I have to run /etc/init.d/apparmor stop again after the VM has been started. Then access to the USB device is allowed.
Looks weird to me but I haven't yet fully understood how and when AppArmor profiles are loaded. But I don't understand why it would deny access to a directory structure that is explicitly permitted in the profile:
Interestingly, or perhaps not, merely running /etc/init. d/apparmor stop isn't enough. I stop AppArmor, restart Libvirt and then start my VMs. However upon starting a VM an AppArmor profile still gets loaded and thus AppArmor denies access to the USB device I want to pass through. I have to run /etc/init. d/apparmor stop again after the VM has been started. Then access to the USB device is allowed.
Looks weird to me but I haven't yet fully understood how and when AppArmor profiles are loaded. But I don't understand why it would deny access to a directory structure that is explicitly permitted in the profile:
May 4 15:56:27 TESTHOST kernel: [75138.174346] type=1503 audit(127298138 7.661:879) : operation="open" pid=8053 parent=1 profile= "libvirt- 959806d1- 327a-cd14- 6b3f-ddeee8a19d 0e" requested_ mask="r: :" denied_mask="r::" fsuid=0 ouid=0 name="/ sys/devices/ pci0000: 00/0000: 00:1e.0/ 0000:01: 04.4/usb6/ devnum"
Unfortunately this is quite the blocker for me.