![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1203976
Bug ID: 1203976
Summary: libvirt fails to start machine with efi due to missing
apparmor rules
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 15.4
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Virtualization:Other
Assignee: virt-bugs@suse.de
Reporter: william.brown@suse.com
QA Contact: qa-bugs@suse.de
Found By: ---
Blocker: ---
type=AVC msg=audit(1664852216.614:1786040): apparmor="DENIED" operation="open"
profile="libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7"
name="/var/lib/libvirt/qemu/nvram/alpdev_VARS.fd" pid=32565
comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=471 ouid=471
This is with a machine set to "<os firmare='efi'>". The firmware is from
qemu-ovmf. This is a supported value per:
virsh domcapabilities --machine pc-q35-6.2 | less
<os supported='yes'>
<enum name='firmware'>
<value>bios</value>
<value>efi</value>
</enum>
It appears that /var/lib/libvirt/qemu/nvram is missing from a read allow list
in the dynamic apparmor rules.
cat /etc/apparmor.d/libvirt/libvirt-45e53ce1-5216-40ee-89a7-5bf6ee956be7
#
# This profile is for the domain whose UUID matches this file.
#
#include