FWIW I'm testing on Xenial with the latest libvirt packages for Ubuntu; the generated apparmor profile .files file for my instances correctly grants access to /var/run/openvswitch/<vhostusersocket>:
Remaining problem is that with the default libvirt user/group for qemu processes, the qemu instance can't actually read/write the vhostuser socket - switching to root/root fixes this problem but does result in all qemu processes running as the root user which is less than ideal.
FWIW I'm testing on Xenial with the latest libvirt packages for Ubuntu; the generated apparmor profile .files file for my instances correctly grants access to /var/run/ openvswitch/ <vhostusersocke t>:
"/run/ openvswitch/ vhu8b11d723- 35" rw,
/dev/vhost-net rw,
Remaining problem is that with the default libvirt user/group for qemu processes, the qemu instance can't actually read/write the vhostuser socket - switching to root/root fixes this problem but does result in all qemu processes running as the root user which is less than ideal.