diff --git a/debian/patches/apparmor-Allow-run-pygrup.patch b/debian/patches/apparmor-Allow-run-pygrup.patch
new file mode 100644
index 0000000..5678aad
--- /dev/null
+++ b/debian/patches/apparmor-Allow-run-pygrup.patch
@@ -0,0 +1,20 @@
+From: Tobias Wolter <towo@b1-systems.de>
+Date: Wed, 21 Aug 2019 10:27:05 +0200
+Subject: apparmor: Allow run pygrup
+
+---
+ src/security/apparmor/usr.sbin.libvirtd | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd
+index c7c52c6..477788e 100644
+--- a/src/security/apparmor/usr.sbin.libvirtd
++++ b/src/security/apparmor/usr.sbin.libvirtd
+@@ -85,6 +85,7 @@
+   /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
+   /usr/{lib,lib64}/xen/bin/* Ux,
+   /usr/lib/xen-*/bin/libxl-save-helper PUx,
++  /usr/lib/xen-*/bin/pygrub PUx,
+ 
+   # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
+   # read and run an ebtables script.
diff --git a/debian/patches/series b/debian/patches/series
index 3d1d869..1d298fa 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -34,3 +34,4 @@
 security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch
 security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch
 Include-etc-pki-qemu-in-apparmor.patch
+apparmor-Allow-run-pygrup.patch