(In reply to Holger Sickenberg from comment #5) > Interesting detail: the <seclabel type="none" model="apparmor"/> is part of > the dump but not in the /etc/libvirt/qemu/sles12sp3.xml - so it seem to come > from some global config?! If apparmor is enabled, the apparmor security driver is loaded at libvirtd startup. When a domain is started, the <seclabel> is added to the active domain XML. When domain is shutdown, its active XML is discarded and you're only left with the persistent XML (/etc/libvirt/<hypervisor>/<dom-name>.xml), assuming the domain is persistent. Transient domains only have active XML. You must have saved the domain on a machine where apparmor was enabled. The active XML is saved in the state file, and that active XML is now failing to restore on a machine where apparmor is disabled. This bug is definitely a duplicate of bug#1049505, but that's a non-public SLES bug. libvirt can help your predicament though. You can use 'virsh save-image-edit /path/to/state/file' to remove the <seclabel> element, and subsequently restore your machine.