Comment 7 for bug 1393842

While adding this to /etc/apparmor.d/abstractions/libvirt-qemu certainly is a viable workaround:
  /var/lib/libvirt/qemu/channel/target/* rw,

it is not the proper fix because it breaks guest isolation (guests can access other guests target files). Seems like virt-aa-helper should be adjusted to ascertain the name of the 'target' and update /etc/apparmor.d/libvirt/libvirt-<uuid>.files accordingly.