Comment 15 for bug 691590

See https://www.redhat.com/archives/libvir-list/2011-October/msg00104.html and https://www.redhat.com/archives/libvir-list/2011-October/msg00110.html for the upstream response. The first message describes the proper fix (switching from chown to acls in the dac security code). The second suggests using a readonly mount for the isos.

Is it possible to use a read-only bind mount of the mirror directory for your libvirt VMs? You can either mount it elsewhere, or else have /etc/init/libvirt unshare a new mount namespace and remount the mirror directory read-only in place before starting libvirtd.