The AppArmor security driver has partial support for hostdev devices in that if they already exist in the XML, virt-aa-helper can find them and add them to the profile. Hot attach does not work[1] because AppArmorSetSecurityHostdevLabel and AppArmorRestoreSecurityHostdevLabel are not currently implemented. From the patch description: Implement AppArmorSetSecurityHostdevLabel() and AppArmorRestoreSecurityHostdevLabel() for hostdev and pcidev attach. virt-aa-helper also has to be adjusted because *FileIterate() is used for pci and usb devices and the corresponding XML for hot attached hostdev and pcidev is not in the XML passed to virt-aa-helper. The new '-F filename' option is added to append a rule to the profile as opposed to the existing '-f filename', which rewrites the libvirt-<uuid>.files file anew. This new '-F' option will append a rule to an existing libvirt-<uuid>.files if it exists, otherwise it acts the same as '-f'. load_profile() and reload_profile() have been adjusted to add an 'append' argument, which when true will use '-F' instead of '-f' when executing virt-aa-helper. All existing calls to load_profile() and reload_profile() have been adjusted to use the old behavior (ie append==false) except AppArmorSetSavedStateLabel() where it made sense to use the new behavior. This patch also adds tests for '-F' The tests still use the old convention of cat with sed that Eric Blake mentioned should be improved-- I will be submitting another patch for this. This patch compiles fine with --enable-compile-warnings=error, passes the parts of 'make check' that this patch touches (ie, the daemon-conf fails here, but it always fails for me) and passes 'syntax-check'. Jamie [1]https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/640993 -- Jamie Strandboge | http://www.canonical.com