Comment 23 for bug 1513367

FWIW I'm testing on Xenial with the latest libvirt packages for Ubuntu; the generated apparmor profile .files file for my instances correctly grants access to /var/run/openvswitch/<vhostusersocket>:

  "/run/openvswitch/vhu8b11d723-35" rw,
  /dev/vhost-net rw,

Remaining problem is that with the default libvirt user/group for qemu processes, the qemu instance can't actually read/write the vhostuser socket - switching to root/root fixes this problem but does result in all qemu processes running as the root user which is less than ideal.