libvirt's virt-aa-helper valid_path() will also need to be updated. If the OVMF.Fd (aka bios.bin) is in /usr/share, then specifying '<os><loader>/usr/share/<wherever>/bios.bin</loader></os>' causes virt-aa-helper to fail because files in /usr/share are currently considered restricted. This can be fixed by adding "/usr/share/<wherever>" to "override[]" in valid_path().
libvirt's virt-aa-helper valid_path() will also need to be updated. If the OVMF.Fd (aka bios.bin) is in /usr/share, then specifying '<os><loader> /usr/share/ <wherever> /bios.bin< /loader> </os>' causes virt-aa-helper to fail because files in /usr/share are currently considered restricted. This can be fixed by adding "/usr/share/ <wherever> " to "override[]" in valid_path().