A typical (though unfortunately undocumented (we should really add this to the wiki somewhere)) is to do something like (see /usr/lib/libvirt/virt-aa-helper -h more more info (-u/--uuid is of form 'libvirt-<domuuid>'):
If profile does not exist:
export VM=foo ; virsh dumpxml $VM | sudo /usr/lib/libvirt/virt-aa-helper -c -u libvirt-`virsh domuuid $VM`
If profile already does exist:
export VM=foo ; virsh dumpxml $VM | sudo /usr/lib/libvirt/virt-aa-helper -r -u libvirt-`virsh domuuid $VM`
So, I saved your xml to /tmp/xml, then did:
cat /tmp/xml | sudo /usr/lib/libvirt/virt-aa-helper -c -u libvirt-6445bf42-7513-985a-7920-9e89a4c42ffe
virt-aa-helper: warning: path does not exist, skipping file type checks
virt-aa-helper: error: /lib4/vmpool1/myhost.org-sda.raw
virt-aa-helper: error: skipped restricted file
virt-aa-helper: error: invalid VM definition
What is happening is that virt-aa-helper does some safety checks and notices that the disk (a writable file) is in the non-standard directory that starts with /lib, so it skips the file. Because this file is the disk, it fails with 'invalid VM definition'. The bad news is that the restricted file checks are hardcoded in the source code for virt-aa-helper. The good news is that if you move it somewhere else (eg, /srv/vmpool1/myhost.org-sda.raw) it should work fine and you will be able to retain the guest isolation security that the apparmor driver provides (virt-aa-helper is a bit noisy since I don't have the disk present, but not that is not an error condition). Eg, making the change to the xml:
$ cat /tmp/xml | sudo /usr/lib/libvirt/virt-aa-helper -c -u libvirt-6445bf42-7513-985a-7920-9e89a4c42ffe
virt-aa-helper: warning: path does not exist, skipping file type checks
2012-12-29 19:30:27.679+0000: 10245: info : libvirt version: 0.9.13
2012-12-29 19:30:27.679+0000: 10245: warning : virDomainDiskDefForeachPath:14691 : Ignoring open failure on /srv/vmpool1/myhost.org-sda.raw: No such file or directory
$ sudo aa-status | grep libvirt-6445bf42-7513-985a-7920-9e89a4c42ffe
libvirt-6445bf42-7513-985a-7920-9e89a4c42ffe
A typical (though unfortunately undocumented (we should really add this to the wiki somewhere)) is to do something like (see /usr/lib/ libvirt/ virt-aa- helper -h more more info (-u/--uuid is of form 'libvirt- <domuuid> '):
If profile does not exist: libvirt/ virt-aa- helper -c -u libvirt-`virsh domuuid $VM`
export VM=foo ; virsh dumpxml $VM | sudo /usr/lib/
If profile already does exist: libvirt/ virt-aa- helper -r -u libvirt-`virsh domuuid $VM`
export VM=foo ; virsh dumpxml $VM | sudo /usr/lib/
So, I saved your xml to /tmp/xml, then did: libvirt/ virt-aa- helper -c -u libvirt- 6445bf42- 7513-985a- 7920-9e89a4c42f fe myhost. org-sda. raw
cat /tmp/xml | sudo /usr/lib/
virt-aa-helper: warning: path does not exist, skipping file type checks
virt-aa-helper: error: /lib4/vmpool1/
virt-aa-helper: error: skipped restricted file
virt-aa-helper: error: invalid VM definition
What is happening is that virt-aa-helper does some safety checks and notices that the disk (a writable file) is in the non-standard directory that starts with /lib, so it skips the file. Because this file is the disk, it fails with 'invalid VM definition'. The bad news is that the restricted file checks are hardcoded in the source code for virt-aa-helper. The good news is that if you move it somewhere else (eg, /srv/vmpool1/ myhost. org-sda. raw) it should work fine and you will be able to retain the guest isolation security that the apparmor driver provides (virt-aa-helper is a bit noisy since I don't have the disk present, but not that is not an error condition). Eg, making the change to the xml: libvirt/ virt-aa- helper -c -u libvirt- 6445bf42- 7513-985a- 7920-9e89a4c42f fe fForeachPath: 14691 : Ignoring open failure on /srv/vmpool1/ myhost. org-sda. raw: No such file or directory 6445bf42- 7513-985a- 7920-9e89a4c42f fe 6445bf42- 7513-985a- 7920-9e89a4c42f fe
$ cat /tmp/xml | sudo /usr/lib/
virt-aa-helper: warning: path does not exist, skipping file type checks
2012-12-29 19:30:27.679+0000: 10245: info : libvirt version: 0.9.13
2012-12-29 19:30:27.679+0000: 10245: warning : virDomainDiskDe
$ sudo aa-status | grep libvirt-
libvirt-