Comment 13 for bug 1432644

I looked into this with libvirt-lxc and can confirm that the domains to not start, but the apparmor denial is a red herring. Ie, if I add this to /etc/apparmor.d/abstractions/libvirt-lxc:
   /dev/shm/lttng-ust-wait-* rw,

and this to /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper:
  /dev/shm/lttng-ust-wait-* rw,

Then do:
$ sudo apparmor_parser -r /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper

I can try to start a container with:
$ virsh -c lxc:// start o1
error: Failed to start domain o1
error: internal error: guest failed to start: Message did not receive a reply (timeout by message bus)

but there are no denials.

Serge, feel free to add an explicit deny in /etc/apparmor.d/abstractions/libvirt-* and an allow rule for /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper, but know that won't fix this bug.