virt-aa-helper refuses to create unix socket for a serial port

Thanks for taking the time to report this bug.

Any news on this?
I've hit the same thing

Ubuntu server 12.04
Attempting to create socket connection between VM host and a pre-existing guest.
Following this guide
http://wiki.libvirt.org/page/Qemu_guest_agent

New channel defined in VM

<channel type='unix'>
   <source mode='bind' path='/var/lib/libvirt/qemu/app-dev-tony.agent'/>
   <target type='virtio' name='org.qemu.guest_agent.0'/>
</channel>

When starting VM, get the following

error: Failed to start domain app-dev-tony
error: internal error Process exited while reading console log output: char device redirected to /dev/pts/3
bind(unix:/var/lib/libvirt/qemu/app-dev-tony.agent): Permission denied
chardev: opening backend "socket" failed: Permission denied

This will require a patch to virt-aa-helper to find unix channel
definitions and whitelist their paths for the new vm. If anyone
has a patch to do so that would be great.

Looks like around line 999 of src/security/virt-aa-helper is the right place to add a check for VIR_DOMAIN_CHR_TYPE_UNIX

The patch debian/patches/9037-virt-aa-helper-add-unix-channels-esp-for-qemu-guest-.patch needs to be expanded to add the UNIX check to serials, consoles, and parallells.

Here is a debdiff for wily to fix this. It will hopefully be included in the upcoming 1.2.16 merge.

This bug was fixed in the package libvirt - 1.2.16-2ubuntu2

---------------
libvirt (1.2.16-2ubuntu2) wily; urgency=low

  [ Chris J Arges ]
  * Merge from Debian unstable. Remaining changes:
    - debian/apparmor/{libvirt-lxc,libvirt-qemu,local-usr.sbin.libvirtd,
      TEMPLATE.lxc,TEMPLATE.qemu,usr.lib.libvirt.virt-aa-helper,
      usr.sbin.libvirtd} Add apparmor profiles.
    - debian/bug-presubj: removed
    - debian/control:
      - add cdbs, dh-autoreconf, libcurl4-gnutls-dev
      - add libxml-libxml-perl, libhal-dev
      - swap open-iscsi to open-iscsi-utils
      - Enable numa support on ppc64 and ppc64el.
      - remove libsanlock-dev, libselinux1-dev, libsystemd-daemon-dev
      - remove systemtap-sdt-dev, python, sheepdog, librados-dev, libfuse-dev
      - remove libssh2-1, augeas-tools
      - add libcgmanager-dev, xsltproc
      - remove Vcs-Git
      - adjust X-Python-Version > 2.7
      - don't build libvirt-clients, libvirt-daemon, libvirt-sanlock packages
    * keep debian/{libvirt-bin.apport,libvirt-bin.cron.daily}
    * debian/libvirt-daemon.* has been mostly renamed to debian/libvirt-bin.*
    * add upstart script for libvirt-bin
    * debian/*.links files not added
    * debian/libvirt-sanlock* not merged
    * debian/libvirt-clients* not merged
    * debian smoke tests not merged
    * keep debian/{libvirt-migrate-qemu-disks.*,
      libvirt-migrate-qemu-machinetype.*,
      libvirt-migrate-xend-managed-domains.*}
    * keep debian/libvirt-suspendonreboot
    * keep debian/libvirt-uri.sh
    * Don't apply the following patches:
      - d/p/Debianize-libvirt-guests.patch
      - d/p/Debianize-systemd-service-files.patch
      - d/p/debian/Debianize-virtlockd.patch
      - d/p/fix-Debian-specific-path-to-hvm-loader.patch
      - d/p/Disable-gnulib-s-test-nonplocking-pipe.sh.patch
      - d/p/patch-qemuMonitorTextGetMigrationStatus-to-intercept.patch
    * debian/polkit/* not added
    * debian/README.Debian:
      - add 'Apparmor Profile' section
      - add 'Disk migration' section
    * debian/rules:
      - add cdbs and autoconf stuff
      - don't build WITH_SANLOCK, WITH_INIT_SCRIPT, WITH_SYSTEMD, WITH_FIREWALLD
        WITH_SELINUX
      - use qemu-group kvm instead of libvirt-qemu
      - set DEB_DH_INSTALLINIT_ARGS to '--upstart-only'
      - remove auto_test section
      - add build/libvirt-bin:: section to install
        - apparmor files
        - apport hooks
        - libvirt-migrate-qemu-disks
      - use clean:: instead of dh_*clean

  [ Chuck Short ]
    + Rediffed:
     - debian/patches/storage-default-permission-mode-to-0711
     - debian/patches/ubuntu_machine_type.patch
  * debian/libvirt-bin.init: Adjust avahi to avahi-daemon (LP: #1453572)

  [ Serge Hallyn ]
  * 9040-virt-aa-helper-add-unix-channels.patch: add support for unix
    sockets for serials. (LP: #1015154)

 -- Chris J Arges <email address hidden> Wed, 01 Jul 2015 13:33:40 -0500

This bug seems to have reappeared in ubuntu 16.04 beta (libvirt 1.3.1)

@codyp,

please open a new bug showing the details of how the host and guest are setup and how it failed.

I can create a VM with a unix socket for serial, however I have to specify a path which libvirt-qemu user can write to. So for instance I created /opt/qemu and chowned it to libvirt-qemu:kvm, then specified /opt/qemu/xx as the pathname, and that worked. Using /opt/xx did not. The apparmor exception is being added:

  "/opt/qemu/xx" rw,