(In reply to James Fehlig from comment #6) > Domain profiles in /etc/apparmor.d/libvirt/ are generated when starting a VM > and removed when shutting it down. This does not seems right, because https://gitlab.com/apparmor/apparmor/wikis/Libvirt#advanced-usage says, that > If you need to adjust access controls for a single guest, adjust /etc/apparmor.d/libvirt-, where is the UUID of the guest Which would be totally useless if it would get removed at shutdown. It is also mentioned here https://doc.opensuse.org/documentation/leap/virtualization/html/book.virt/cha.lxc.html#sec.lxc.config.apparmor Now, checking the source code and when this removal you mention was introduced: https://github.com/libvirt/libvirt/commit/eba2225bc52624e748cb875e10962bc4c46a0516#diff-8852eb1be9ce9ea8c64fb23af57a0e88 and that it is included also in libvirt 4.0.0 which is in Leap 15 it seem that both documentations are wrong. > Since the libvirt apparmor driver is not loaded, the default security model > is 'none'. Setting security_default_confined has no effect when the active > model is a no-op. This is unfortuates, because comment makes it sound that this "if apparmor is available" applies only to libvirtd, but qemu instances "will be confined by default" when config is set to nonzero (as the condition does not seem to apply to this part as it is different sentence). I just installed new Tumbleweed with KVM Host and Virtualization Tools pattern. I changed only security_driver, started libvirt and I get the same error. No other changes were made after installation.