For the record I've reproduced this.
Interestingly, /dev/dm-2 *is* in the allowed list. Following is the syslog entry:
Jan 5 10:07:11 sergelap kernel: [ 5768.408495] type=1400 audit(1325779631.010:95): apparmor="DENIED" operation="open" parent=1606 profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/dm-2" pid=13978 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jan 5 10:07:11 sergelap kernel: [ 5768.682389] type=1400 audit(1325779631.286:96): apparmor="STATUS" operation="profile_load" name="libvirt-defba839-e7fc-1290-17b4-d0e8c1e68296" pid=13985 comm="apparmor_parser"
So it is virt-aa-helper's profile which needs to be updated, not that of the VMs. In particular:
/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper
For the record I've reproduced this.
Interestingly, /dev/dm-2 *is* in the allowed list. Following is the syslog entry:
Jan 5 10:07:11 sergelap kernel: [ 5768.408495] type=1400 audit(132577963 1.010:95) : apparmor="DENIED" operation="open" parent=1606 profile= "/usr/lib/ libvirt/ virt-aa- helper" name="/dev/dm-2" pid=13978 comm="virt- aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 1.286:96) : apparmor="STATUS" operation= "profile_ load" name="libvirt- defba839- e7fc-1290- 17b4-d0e8c1e682 96" pid=13985 comm="apparmor_ parser"
Jan 5 10:07:11 sergelap kernel: [ 5768.682389] type=1400 audit(132577963
So it is virt-aa-helper's profile which needs to be updated, not that of the VMs. In particular:
/etc/apparmor. d/usr.lib. libvirt. virt-aa- helper