#echo -n 1 > /sys/devices/system/cpu/intel_pstate/no_turbo

virsh change-media cfg hdc --insert /mnt/vgl/kvm/part.iso
error: Failed to complete action insert on media
error: internal error: unable to execute QEMU command 'change': Could not open '/mnt/vgl/kvm/part.iso': Permission denied

virsh attach-disk cfg /mnt/vgl/kvm/part.iso hdc --type cdrom --mode readonly
error: Failed to attach disk
error: internal error: unable to execute QEMU command 'change': Could not open '/mnt/vgl/kvm/part.iso': Permission denied

ls -la /mnt/vgl/kvm/part.iso
-rw-rw-rw- 1 hint virt 86267904 Oct  5 04:52 /mnt/vgl/kvm/part.iso

user = "hint"
group = "virt"
security_driver = "apparmor" #Пробовал ставить "none" не помогает

id hint
uid=1000(hint) gid=1000(hint) groups=1000(hint),24(cdrom),27(sudo),29(audio),114(kvm),1001(virt),1002(power)

#!/bin/sh

IPTABLES="/sbin/iptables"
REDSOCKS="/usr/bin/redsocks"
REDSOCKSCFG="/home/user/.redsocks/redsocks.conf"
REDSOCKS_PORT="12345" #local_port in $REDSOCKSCFG
PDNSDCFG="/etc/pdnsd.conf"
SERVER="your_ssh_server"

if [ "$1" = "start" ]; then
        echo '(Re)starting redsocks...'
        pkill -U $USER redsocks 2>/dev/null
        sleep 1
        $REDSOCKS -c $REDSOCKSCFG
        echo '(Re)starting pdnsd'
        pkill -U $USER pdnsd 2>/dev/null
        pdnsd -d -mto -c $PDNSDCFG
        $IPTABLES -t nat -F
        $IPTABLES -t nat -X
        $IPTABLES -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 5353 #redirect dns queries


        $IPTABLES -t nat -D PREROUTING -p tcp -j REDSOCKS_FILTER 2>/dev/null
        $IPTABLES -t nat -D OUTPUT     -p tcp -j REDSOCKS_FILTER 2>/dev/null
        $IPTABLES -t nat -F REDSOCKS_FILTER 2>/dev/null
        $IPTABLES -t nat -X REDSOCKS_FILTER 2>/dev/null
        $IPTABLES -t nat -F REDSOCKS 2>/dev/null
        $IPTABLES -t nat -X REDSOCKS 2>/dev/null

# Create our own chain
        $IPTABLES -t nat -N REDSOCKS
        $IPTABLES -t nat -N REDSOCKS_FILTER

# Do not try to redirect local traffic
        $IPTABLES -t nat -I REDSOCKS_FILTER -o lo -j RETURN


# Do not redirect LAN traffic and some other reserved addresses. (blacklist option)
        $IPTABLES -t nat -A REDSOCKS_FILTER -d 0.0.0.0/8 -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -d 10.0.0.0/8 -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -d 127.0.0.0/8 -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -d 169.254.0.0/16 -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -d 172.16.0.0/12 -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -d 192.168.0.0/16 -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -d 224.0.0.0/4 -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -d 240.0.0.0/4 -j RETURN
        $IPTABLES -t nat -A REDSOCKS_FILTER -d $SERVER -j RETURN 
        $IPTABLES -t nat -A REDSOCKS_FILTER -j REDSOCKS

# Redirect all traffic that gets to the end of our chain
        $IPTABLES -t nat -A REDSOCKS   -p tcp -j REDIRECT --to-port $REDSOCKS_PORT

## Filter all traffic from the own host
## BE CAREFULL HERE IF THE SOCKS-SERVER RUNS ON THIS MACHINE
        $IPTABLES -t nat -A OUTPUT     -p tcp -j REDSOCKS_FILTER

# Filter all traffic that is routed over this host
        $IPTABLES -t nat -A PREROUTING -p tcp -j REDSOCKS_FILTER

        echo IPtables reconfigured.
        exit 0;
elif [ "$1" = "stop" ]; then
        $IPTABLES -t nat -F
        $IPTABLES -t nat -X
        killall redsocks
        killall pdnsd
        exit 0;
else
        exit 1;
fi

В конфиге redsocks указываю слушать на всех интерфейсах, т.е. 0.0.0.0 12345
Вообщем может кто нить реализовывал такое с квм/qemu, на virtbox все работает в режиме нат без лишних телодвижений, но там нат какой то другой, пакеты при этом не попадают в цепочку FORWARD.