Comment 6 for bug 1403648

qemu doesn't normally need /tmp and /var/tmp. Something is making it use it (ie, VMs launched under local libvirt (ie, not OpenStack) don't have this problem). One could add an explicit deny rule to /etc/apparmor.d/abstractions/libvirt-qemu to deny /tmp and /var/tmp, but I think it would be better to understand the problem (and that might break testing environment that legitimately put the disk in /tmp).

The attached xml isn't what I was looking for. When an affected VM is running, can you do:
$ virsh dumpxml <domain>

where '<domain>' can be found from 'virsh list'.