Comment # 2 on bug 1203976 from James Fehlig

(In reply to William Brown from comment #0)
> type=AVC msg=audit(1664852216.614:1786040): apparmor="DENIED"
> operation="open" profile="libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7"
> name="/var/lib/libvirt/qemu/nvram/alpdev_VARS.fd" pid=32565
> comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=471 ouid=471
> 
> This is with a machine set to "<os firmare='efi'>". The firmware is from
> qemu-ovmf. This is a supported value per:
> 
> virsh domcapabilities --machine pc-q35-6.2 | less
> 
>   <os supported='yes'>
>     <enum name='firmware'>
>       <value>bios</value>
>       <value>efi</value>
>     </enum>
> 
> 
> It appears that /var/lib/libvirt/qemu/nvram is missing from a read allow
> list in the dynamic apparmor rules. 
> 
> 
>  cat /etc/apparmor.d/libvirt/libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7
> #
> # This profile is for the domain whose UUID matches this file.
> #
> 
> #include <tunables/global>
> 
> profile libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7
> flags=(attach_disconnected) {
>   #include <abstractions/libvirt-qemu>
>   #include <libvirt/libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7.files>
> 
> }
> 
> It is likely that the nvram rule needs to be added to the generated .files
> that is in use.

The libvirt-qemu abstraction should provide rules for those files. Does yours
have

 /usr/share/qemu/** r,
 owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk,