Comment # 12 on bug 1202191 from Andy Millman

(In reply to Christian Boltz from comment #11)

> The libvirtd profile contains
>   /usr/libexec/* PUxr,
> which should allow to execute everything in /usr/libexec/ (even if no
> profile exists for it, in this case it will run unconfined).
> 
> Please check if your /etc/apparmor.d/usr.sbin.libvirtd really includes that
> rule (should be in line 109).

Yes it includes that line.

> (IMHO that rule is too broad and insecure given the large amount of binaries
> in /usr/libexec/, but that's another topic.)
> 
> Please also show the output of
>     ls -l /etc/apparmor.d/usr*virt* /var/cache/apparmor/*/usr*virt*
> 
> Wild guess: if your (renamed) usr.sbin.libvirtd kept the timestamp from the
> rpm, your profile cache might still have a cache file of the previous
> profile. The above "ls -l" will show that.
> You can try   touch /etc/apparmor.d/usr.sbin.libvirtd ; rcapparmor reload  
> to ensure the cache gets updated - but please do that only _after_ saving
> the "ls -l" output.

Ok you guessed the correct issue! It was cacheing an old copy of the file. The
touch command fixed everything. Sincere thanks for your help in tracking down
and helping to fix this issue. Much appreciated!

Also sincere thanks to James Fehlig for all the help. Much appreciated!