Comment 12 for bug 1403648

As for the /tmp and /var/tmp denials, Dave mentioned that adding the following rules silenced the denials:
  /tmp/ r,
  /var/tmp/ r,

I'm not a fan of those rules in general, because it gives the VMs read access to the directory and they can see what is in there. However I also don't want to break existing setups by adding an explicit deny rule that would block all access to /tmp and /var/tmp if the user updated policy for that or is putting disks in /tmp for testing environments.

As such I suggest the following:
1. for stable releases, add the following to /etc/apparmor.d/abstractions/libvirt-qemu:
  /tmp/ r,
  /var/tmp/ r,
2. for vivid, add the following to /etc/apparmor.d/abstractions/libvirt-qemu:
  deny /tmp/{,**} r,
  deny /var/tmp/{,**} r,

'1' is suitable for SRU since it only allows access where it wasn't allowed before. If we get bug reports in 15.04+ for '2', the proper solution is to have libvirt setup a vm-specific tmp dir, and have aa-virt-helper add this directory to the .files file for that VM.