We can create a child profile for pt_chown so only it would get cap_fowner. Can you try the following in /etc/apparmor.d/abstractions/libvirt-qemu:
owner @{PROC}/[0-9]*/fd/ r, owner @{PROC}/[0-9]*/fd/3 r, /usr/lib/pt_chown cix -> libvirt_pt_chown,
profile libvirt_pt_chown { capability fowner, }
We can create a child profile for pt_chown so only it would get cap_fowner. Can you try the following in /etc/apparmor. d/abstractions/ libvirt- qemu:
owner @{PROC}/[0-9]*/fd/ r,
owner @{PROC}/[0-9]*/fd/3 r,
/usr/lib/pt_chown cix -> libvirt_pt_chown,
profile libvirt_pt_chown {
capability fowner,
}