Comment 2 for bug 643583

Rather than running as root:root, perhaps the VMs can continue to run unprivileged and adjust the .Xauthority file's permissions to 640 with group 'kvm'. If you are going to recommend to run as root:root, then you should reiterate that VMs are confined by individual apparmor profiles.