libvirt qemu apparmor rule missing directory for spice TLS

Bug affects trusty and xenial, but potentially also newer versions.

Note: similar to bug 901272

The reasoning for the last one to "go in" was that is a somewhat official location guided by the libvirt docu at https://wiki.libvirt.org/page/VNCTLSSetup.

Could you please outline which man-page/guid/howto you are following that makes that default directory to be /etc/pki/libvirt-spice?

Also could you please share your dmesg so that we see what apparmor DENIES you have there?

Until it was decided if this is a path that will be picked up by upstream and/or Ubuntu packaging you should be able to add it as a local override to be fine. After all any sort of local configs extra need is just what they are meant for.
The file to add those likely is /etc/apparmor.d/local/usr.sbin.libvirtd but since I didn't see the Deny you face yet it might be different (Depends on which process tries to access that).

if it really is qemu accessing that as you mentioned to be needed in /etc/apparmor.d/abstractions/libvirt-qemu then very likely instead of just adding one would like to detect the config in the xml with virt-aa-helper and generate the line as needed.

To better understand on top on what I asked before, could you share your full guest xml so I can see if there would be something that virt-aa-helper could learn the path from?

I am not sure this is described in any man page, but it is mentioned in /etc/libvirt/qemu.conf as the default. The file is read by qemu and not libvirt itself.

This is not configurable per domain and has to be enabled first in that same file to work. (analogous to vnc)

Perfect thanks for your answer.

That is indeed coming out of src/qemu/qemu.conf which is upstream and non Ubuntu special.
We are currently in the process of (trying to) upstream most of our apparmor Delta.
I made this change a part of it and depending on discussion will include it hopefully in the next merge we do for Artful.

Once available there we can start considering SRUs.

This bug was fixed in the package libvirt - 3.5.0-1ubuntu1

---------------
libvirt (3.5.0-1ubuntu1) artful; urgency=medium

  * Merged with Debian unstable (3.5)
    This closes several bugs:
    - improved handling of host-model since libvirt 3.2 (LP: #1673467)
    - Adding POWER9 cpu model to cpu_map.xml (LP: #1690209)
  * Remaining changes:
    - Disable sheepdog (universe dependency)
    - Disable libssh2 support (universe dependency)
    - Disable firewalld support (universe dependency)
    - Disable selinux
    - Enable esx support
      + Add build-dep to libcurl4-gnutls-dev (required for esx)
    - Set qemu-group to kvm (for compat with older ubuntu)
    - Regularly clear AppArmor profiles for vms that no longer exist
    - Additional apport package-hook
    - Modifications to adapt for our delayed switch away from libvirt-bin (can
      be dropped >18.04).
      + d/p/ubuntu/libvirtd-service-add-bin-alias.patch: systemd: define alias
        to old service name so that old references work
      + d/p/ubuntu/libvirtd-init-add-bin-alias.patch: sysv init: define alias
        to old service name so that old references work
      + d/control: transitional package with the old name and maintainer
        scripts to handle the transition
    - Backwards compatible handling of group rename (can be dropped >18.04).
    - config details and autostart of default bridged network. Creating that is
      now the default in general, yet our solution provides the following on
      top as of today:
      + nat only on some ports <port start='1024' end='65535'/>
      + autostart the default network by default
      + do not autostart if 192.168.122.0 is already taken (e.g. in containers)
    - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is
      the group based access to libvirt functions as it was used in Ubuntu
      for quite long.
      + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests
        due to the group access change.
    - ubuntu/parallel-shutdown.patch: set parallel shutdown by default.
    - d/p/ubuntu/enable-kvm-spice.patch: compat with older Ubuntu qemu/kvm
      which provided a separate kvm-spice.
    - d/p/ubuntu/storage-disable-gluster-test: gluster not enabled, skip test
    - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The
      section that adapts the path of the emulator to the Debian/Ubuntu
      packaging is kept.
    - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto
      set VRAM to minimum requirements
    - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts
    - Add libxl log directory
    - libvirt-uri.sh: Automatically switch default libvirt URI for users on
      Xen dom0 via user profile (was missing on changelogs before)
    - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from
      included_files to avoid build failures due to duplicate definitions.
    - Update README.Debian with Ubuntu changes
    - Convert libvirt0, libnss_libvirt and libvirt-dev to multi-arch.
    - Enable some additional features on ppc64el and s390x (for arch parity)
      + systemtap, zfs, numa and numad on s390x.
      + sys...