OK; I've now managed to re-produce the issue; It appears that virt-aa-helper only parses backing_files one level; in this case the full chain is two levels/three files, so the base qcow2 image is not included in the apparmor profile:
I incidentally found a potential bug in virt-install; it does not appear to recognise .qcow2 files and generates an xml definition with the disk type as raw.
OK; I've now managed to re-produce the issue; It appears that virt-aa-helper only parses backing_files one level; in this case the full chain is two levels/three files, so the base qcow2 image is not included in the apparmor profile:
"/var/ log/libvirt/ **/test. log" w, lib/libvirt/ **/test. monitor" rw, run/libvirt/ **/test. pid" rwk, jamespage/ vms/test. qcow2" rw, jamespage/ vms/test_ base.qcow2" r, jamespage/ vms/test_ base.qcow2" w,
"/var/
"/var/
"/home/
"/home/
# don't audit writes to readonly files
deny "/home/
I incidentally found a potential bug in virt-install; it does not appear to recognise .qcow2 files and generates an xml definition with the disk type as raw.