After looking further into the call structure it seems that the denials are happening through the call structure of libvirt -> qemu -> qemu_tpm.c -> swtpm and swtpm_setup, where the two programs are borrowing the apparmor profile libvirt-[UUID] rather than using usr.bin.swtpm.
It seems like the most proper way to fix this would be to make sure swtpm uses its own profile by adding a Discrete Profile execute mode px line to the libvirt profile, such as some variation of: /usr/bin/swtpm px or /usr/bin/swtpm px -> swtpm This fixes swtpm's apparmor issues but causes a new error on start from virt-aa-helper, which fails to parse this and the following is shown: Error starting domain: internal error: cannot load AppArmor profile 'libvirt-[UUID]' -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968187 Title: apparmor denial when using swtpm To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1968187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
