Apparmor libvirtd issues

Hi all

Trying to install a VM, on kvm inside lxc ubuntu 20 container, but the apparmor kernel module from the main host is causing issues.

May 20 09:25:08 oshift dnsmasq[1069]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify dumpfile

May 20 09:32:55 oshift libvirtd[149]: libvirt version: 6.0.0, package: 0ubuntu8 (William Grant wgrant@ubuntu.com Sat, 18 Apr 2020 13:59:21 +1000)

May 20 09:32:55 oshift libvirtd[149]: hostname: oshift

May 20 09:32:55 oshift libvirtd[149]: internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -c -u libvirt-815f1ad8-b426-4976-b14a-16c2a01c48ea) unexpected exit status 1: 2020-05-20 09:32:55.870+0000: 1234: info : libvirt version: 6.0.0, package: 0ubuntu8 (William Grant wgrant@ubuntu.com Sat, 18 Apr 2020 13:59:21 +1000)#0122020-05-20 09:32:55.870+0000: 1234: info : hostname: oshift#0122020-05-20 09:32:55.870+0000: 1234: error : virStorageFileBackendFileRead:128 : Failed to open file ‘/home/ubuntu/.crc/machines/crc/crc’: Permission denied#012virt-aa-helper: error: apparmor_parser exited with error

May 20 09:32:55 oshift libvirtd[149]: internal error: cannot load AppArmor profile ‘libvirt-815f1ad8-b426-4976-b14a-16c2a01c48ea’

May 20 09:32:55 oshift systemd[1]: Started Virtual machine log manager.

May 20 09:32:55 oshift libvirtd[149]: End of file while reading data: Input/output error

lxc profile below:

config:
  limits.memory.swap: "false"
  linux.kernel_modules: nf_nat,ip_tables,ip6_tables,kvm,kvm_intel,openvswitch,tap,vhost,vhost_net,vhost_scsi,vhost_vsock,netlink_diag,br_netfilter,xt_conntrack,nf_conntrack,ip_vs,ip_vs_rr,ip_vs_wrr,ip_vs_sh,overlay,vxlan
  raw.lxc: "lxc.apparmor.profile=unconfined\nlxc.cap.drop= \nlxc.cgroup.devices.allow=a\nlxc.mount.auto=proc:rw sys:rw"
  security.nesting: "true"
  security.privileged: "true"
description: oshift LXD br0 profile
devices:
  eth0:
    name: eth0
    nictype: bridged
    parent: br0
    type: nic
  kvm:
    path: /dev/kvm
    type: unix-char
  root:
    path: /
    pool: default
    type: disk
  tun:
    path: /dev/net/tun
    type: unix-char
  vhost-net:
    mode: "0600"
    path: /dev/vhost-net
    type: unix-char
  vhost-scsi:
    mode: "0600"
    path: /dev/vhost-scsi
    type: unix-char
  vhost-vsock:
    path: /dev/vhost-vsock
    type: unix-char

Have tried on centos 7 image, but same issue. No apparmor installed, however lxd main host is enforcing eventhough lxc.apparmor.profile=unconfined is set in profile.

Appreciate any direction here.

Edit: Apparmor enforcing via LXD host

sudo cat /sys/kernel/security/apparmor/profiles

lxd-oshift_</var/snap/lxd/common/lxd> (enforce)

docker-default (enforce)

lxd-pminion_</var/snap/lxd/common/lxd> (enforce)

libvirt-487a891d-285b-407e-9fa7-4470dfdbd2c6 (enforce)