apparmor="DENIED" when I try to start my VM after a disk snapshot

Hello,

I created a disk snapshot of a VM. Now I can’t start this VM… It seems to be due to apparmor.

[Fri Feb 28 08:20:53 2025] audit: type=1400 audit(1740727256.969:813): apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name=“libvirt-12f32853-7e6b-4d66-b02b-4ba76bf37f1b” pid=3837143 comm=“apparmor_parser”
[Fri Feb 28 08:20:53 2025] audit: type=1400 audit(1740727257.069:814): apparmor=“DENIED” operation=“open” profile=“libvirt-12f32853-7e6b-4d66-b02b-4ba76bf37f1b” name=“/var/lib/one/datastores/0/113/disk.0.snap/0” pid=3837147 comm=“qemu-kvm-one” requested_mask=“r” denied_mask=“r” fsuid=9869 ouid=9869

root@R2-DellServer01:/etc/apparmor.d/libvirt# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 12 (bookworm)
Release: 12
Codename: bookworm

root@R2-DellServer01:/etc/apparmor.d/libvirt# dpkg -s apparmor | grep ‘^Version:’
Version: 3.0.8-3

Can someone help me ?

Thanks a lot,
Benjamin

I guess this is the reason:
Feb 28 10:45:16 R2-DellServer01 libvirtd[3477]: Failed to read AppArmor profiles list ‘/sys/kernel/security/apparmor/profiles’: Permission denied

root@R2-DellServer01:~# ls -l /sys/kernel/security/apparmor/profiles
-r–r–r-- 1 root root 0 Feb 28 10:41 /sys/kernel/security/apparmor/profiles

Disabling apparmor solve the issue…

sudo systemctl disable apparmor
init 6

Then it’s OK.

But should not be the final solution I guess.

Hello @benjavd,

As it is explained on the documentation:
KVM Node Installation

The idea is to configure the Apparmor to not clash with Libvirt. If you think the behaviour should be different, let us know, so we can review it.

Cheers,

Hello,

Thanks a lot for the answer. I’ll follow the documentation then.

Best regards,
Benjamin