Comment 3 for bug 637544

Here is an example message:
Sep 13 15:57:29 marula kernel: [ 7535.484814] type=1400 audit(1284407849.038:878): apparmor="DENIED" operation="open" parent=3346 profile="/usr/lib/libvirt/virt-aa-helper" name="/var/lib/eucalyptus/instances/admin/i-35280636/loader" pid=29440 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=105

We currently only allow the following in /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper:
  /var/lib/eucalyptus/instances/**/disk* r,

What is /var/lib/eucalyptus/instances/admin/i-35280636/loader? Can you also attach the domain XML for an instance that fails to start?