Comment 6 for bug 1554031

strace shows:

5082 open("/var/lib/uvtool/libvirt/images/x-uvt-b64-Y29tLnVidW50dS5jbG91ZDpzZXJ2ZXI6MTYuMDQ6YW1kNjQgMjAxNjAxMjU=", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied)

The apparmor profile (libvirt-uuid.files) includes:

  "/var/lib/uvtool/libvirt/images/x-uvt-b64-Y29tLnVidW50dS5jbG91ZDpzZXJ2ZXI6MTYuMDQ6YW1kNjQgMjAxNjAxMjU=" r,
  # don't audit writes to readonly files
  deny "/var/lib/uvtool/libvirt/images/x-uvt-b64-Y29tLnVidW50dS5jbG91ZDpzZXJ2ZXI6MTYuMDQ6YW1kNjQgMjAxNjAxMjU=" w,
  "/var/lib/uvtool/libvirt/images/docker-ds.qcow" rw,
  /dev/vhost-net rw,
  "/var/lib/uvtool/libvirt/images/x-uvt-b64-Y29tLnVidW50dS5jbG91ZDpzZXJ2ZXI6MTYuMDQ6YW1kNjQgMjAxNjAxMjU=" rw,

That long filename is the (readonly) backing file for the root disk.

sudo qemu-img info docker.qcow
image: docker.qcow
file format: qcow2
virtual size: 30G (32212254720 bytes)
disk size: 7.0G
cluster_size: 65536
backing file: /var/lib/uvtool/libvirt/images/x-uvt-b64-Y29tLnVidW50dS5jbG91ZDpzZXJ2ZXI6MTYuMDQ6YW1kNjQgMjAxNjAxMjU=
backing file format: qcow2
Format specific information:
    compat: 0.10
    refcount bits: 16

So it would seem we could consider this (a) a bug in qemu for requiring write access to a readonly backing file, or (b) a bug in libvirt for denying that write access.