Comment 56 for bug 1890858

An Ubuntu pro customer has reproduced this issue on Focal that a domain user can not run 'virsh list'

domain-user@HOST:~$ virsh list --all
error: failed to connect to the hypervisor
error: End of file while reading data: Input/output error

syslog:

libvirtd[23069]: Failed to open file '/sys/kernel/security/apparmor/profiles': Permission denied
libvirtd[23069]: Failed to read AppArmor profiles list '/sys/kernel/security/apparmor/profiles': Permission denied
libvirtd[23069]: Failed to open file '/sys/kernel/security/apparmor/profiles': Permission denied
libvirtd[23069]: Failed to read AppArmor profiles list '/sys/kernel/security/apparmor/profiles': Permission denied

systemd[2928]: Started D-Bus User Message Bus.
dbus-daemon[23092]: [session uid=1000 pid=23092] AppArmor D-Bus mediation is enabled
dbus-daemon[23092]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=23069 label="libvirtd" peer_label="unconfined"
libvirtd[23069]: internal error: Unable to get DBus session bus connection: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)

kernel: [ 184.634412] audit: type=1400 audit(1692758554.332:50): apparmor="DENIED" operation="capable" profile="libvirtd" pid=2483 comm="libvirtd" capability=17 capname="sys_rawio"
kernel: [ 413.761114] audit: type=1400 audit(1692760194.668:421): apparmor="DENIED" operation="capable" profile="libvirtd" pid=2590 comm="libvirtd" capability=17 capname="sys_rawio"
kernel: [ 514.808354] audit: type=1400 audit(1692760295.712:518): apparmor="DENIED" operation="bind" profile="libvirtd" pid=4644 comm="rpc-libvirtd" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@userdb-a"
kernel: [ 522.743590] audit: type=1400 audit(1692760303.648:521): apparmor="DENIED" operation="bind" profile="libvirtd" pid=5166 comm="rpc-libvirtd" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@userdb-4"
kernel: [ 632.217763] audit: type=1400 audit(1692760413.122:523): apparmor="DENIED" operation="bind" profile="libvirtd" pid=5279 comm="rpc-libvirtd" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@userdb-e"
kernel: [ 772.196074] audit: type=1400 audit(1692760553.101:536): apparmor="DENIED" operation="bind" profile="libvirtd" pid=5395 comm="rpc-libvirtd" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@userdb-1"
kernel: [ 955.224553] audit: type=1400 audit(1692760736.123:710): apparmor="DENIED" operation="bind" profile="libvirtd" pid=5739 comm="rpc-libvirtd" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@userdb-7"

And also the customer confirmed that running below steps can fix the issue.

echo "network unix dgram," | sudo tee -a /etc/apparmor.d/local/usr.sbin.libvirtd
sudo apparmor_parser -r -W -T /etc/apparmor.d/usr.sbin.libvirtd
sudo systemctl restart libvirtd