AppArmor and the sVirt isolation model
AppArmor and SELinux solve a similar problem for libvirt: they confine the hypervisor and protect guest resources with mandatory access control. sVirt is the broader model that binds guest execution to labeled or profile
AppArmor and SELinux solve a similar problem for libvirt: they confine the hypervisor and protect guest resources with mandatory access control. sVirt is the broader model that binds guest execution to labeled or profiled resources.
What changes on AppArmor hosts
Instead of SELinux labels, you usually inspect AppArmor profiles, complain mode, and denials recorded by the kernel or distribution tooling.
aa-status
journalctl -k -g apparmor -n 100sVirt mental model
Think in terms of controlled guest reach:
- The guest process should only see its own disks and devices.
- Host-side resources need an explicit profile or label path.
- Moving a disk or firmware blob can silently invalidate the policy assumptions.
Practical debugging
Start with the resource path and the guest XML. If both are correct, inspect the host security framework before editing the domain definition again.