Comment # 10 on bug 1144527 from James Fehlig

(In reply to Dan ������erm������k from comment #9)
> Should we forward this to the libvirt and/or apparmor maintainers?

IMO we need a better understanding of the problem first. In the original
description you said you "frequently" encounter the problem, so I assume it
does work on occasion?

> I have the suspicion that once one user creates a domain, any other user (including root) can no longer create them

Can you verify this suspicion? :-)

> Call to virDomainCreateWithFlags failed: internal error: Process exited prior to exec: libvirt:  error : Failed to bind /dev/null on to /var/run/libvirt/qemu/496-tests_testing-15.0-a.dev/null: Permission denied

This error, along with your DENIED messages from audit.log, indicate building
the VM's namespace failed. /dev/null on the host could not be bind mounted to
the VM's private namespace. However a lot has changed in libvirt since 6.0.0,
including moving the namespace creation from the qemu process to the libvirtd
process

https://gitlab.com/libvirt/libvirt/-/commit/8da362fe62766b4eee209cd3ce591ceb62299d13
https://gitlab.com/libvirt/libvirt/-/commit/9048dc4e627ddf33996084167bece7b5fb83b0bc

The first commit describes the rational, the second one uses it for basic /dev
nodes. There are several subsequent commits doing the same for disks, hostdevs,
chardevs, etc. Bottom line is the patch I suggested in #8 is not needed with
libvirt >= 6.7.0 since mounting is done within the libvirtd process.

Is it possible for you to verify the issue does not exist on TW, or SLES15 SP3
betas if that is easier?