Comment 8 for bug 1074207

libvirt's virt-aa-helper valid_path() will also need to be updated. If the OVMF.Fd (aka bios.bin) is in /usr/share, then specifying '<os><loader>/usr/share/<wherever>/bios.bin</loader></os>' causes virt-aa-helper to fail because files in /usr/share are currently considered restricted. This can be fixed by adding "/usr/share/<wherever>" to "override[]" in valid_path().