Comment # 9 on bug 1208567 from William Brown

(In reply to David Disseldorp from comment #6)
> (In reply to David Disseldorp from comment #5)
> > (In reply to David Disseldorp from comment #3)
> > ...
> > > Putting it on my queue. My initial impression is that some changes to
> > > virt-aa-helper are needed to permit the file locking.
> > 
> > Actually, it looks like what's needed here is a follow up to the boo#1203976
> > 7aec69b7-apparmor-Fix-QEMU-access-for-UEFI.patch which permits locking of
> > qemu-ovmf-x86_64 paths installed under /usr/share/qemu/ovmf-*.bin . It looks
> > as though this edk2/OVMF path is somewhat SUSE-unique, which would explain
> > why this didn't make it into the upstream profile.
> 
> @William: please try manually changing the profile at
> /etc/apparmor.d/abstractions/libvirt-qemu :
> 
> @@ -90,7 +90,7 @@
>    /usr/share/proll/** r,
>    /usr/share/qemu-efi/** r,
>    /usr/share/qemu-kvm/** r,
> -  /usr/share/qemu/** r,
> +  /usr/share/qemu/** rk,
>    /usr/share/seabios/** r,
>    /usr/share/sgabios/** r,
>    /usr/share/slof/** r,
> 
> Then as root reload the profile (reload of all profiles is probably easiest):
> 

Will this prevent successful upgrading of the profile in future though? That
file is owned by libvirt-daemon-8.0.0-150400.7.3.1.x86_64, and is listed as a
config file meaning that if I modify it, rpm will no longer alter or upgrade
the content going forward. 

So I think i'd rather just wait for an update.