(In reply to William Brown from comment #0) > type=AVC msg=audit(1664852216.614:1786040): apparmor="DENIED" > operation="open" profile="libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7" > name="/var/lib/libvirt/qemu/nvram/alpdev_VARS.fd" pid=32565 > comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=471 ouid=471 > > This is with a machine set to "<os firmare='efi'>". The firmware is from > qemu-ovmf. This is a supported value per: > > virsh domcapabilities --machine pc-q35-6.2 | less > > <os supported='yes'> > <enum name='firmware'> > <value>bios</value> > <value>efi</value> > </enum> > > > It appears that /var/lib/libvirt/qemu/nvram is missing from a read allow > list in the dynamic apparmor rules. > > > cat /etc/apparmor.d/libvirt/libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7 > # > # This profile is for the domain whose UUID matches this file. > # > > #include <tunables/global> > > profile libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7 > flags=(attach_disconnected) { > #include <abstractions/libvirt-qemu> > #include <libvirt/libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7.files> > > } > > It is likely that the nvram rule needs to be added to the generated .files > that is in use. The libvirt-qemu abstraction should provide rules for those files. Does yours have /usr/share/qemu/** r, owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk,