Comment 12 for bug 1633207

Again at:
sudo virsh start yakkety-doubleseclabel
error: Failed to start domain yakkety-doubleseclabel
error: internal error: cannot load AppArmor profile 'libvirt-8746b00d-aad1-4346-8784-2d4331465153'

In the log I found the related:
Okt 27 13:45:50 horsea libvirtd[10370]: internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -p 0 -r -u libvirt-8746b00d-aad1-4346-8784-2d4331465153) unexpected exit status 1: 2016-10-27 13:45:20.873+0000: 10640: info : libvirt version: 2.1.0, package: 1ubuntu10~ppa3 (Christian Ehrhardt <email address hidden> Mon, 24 Oct 2016 14:21:36 +0200)
                                        2016-10-27 13:45:20.873+0000: 10640: info : hostname: horsea
                                        2016-10-27 13:45:20.873+0000: 10640: error : virSecurityLabelDefParseXML:6473 : XML error: security label is missing
                                        virt-aa-helper: error: could not parse XML
                                        virt-aa-helper: error: could not get VM definition
Okt 27 13:45:50 horsea libvirtd[10370]: internal error: cannot load AppArmor profile 'libvirt-8746b00d-aad1-4346-8784-2d4331465153'
Okt 27 13:45:50 horsea virtlogd[7706]: End of file while reading data: Input/output error

I also found that adding dac alone is enough to trigger:

$ virsh dumpxml yakkety-doubleseclabel | grep -A 20 '<seclabel'
  <seclabel type='dynamic' model='apparmor' relabel='yes'/>
  <seclabel type='dynamic' model='dac' relabel='yes'/>
</domain>
=> Failing

$ virsh dumpxml yakkety-sec-app | grep -A 20 seclabel
  <seclabel type='dynamic' model='apparmor' relabel='yes'/>
</domain>
=> Working

$ virsh dumpxml yakkety-sec-dac | grep -A 20 seclabel
  <seclabel type='dynamic' model='dac' relabel='yes'/>
</domain>
=> Failing just as much as case 1, maybe because apparmor is default on.

Trying to check the /usr/lib/libvirt/virt-aa-helper in those cases, but since it is not meant to be called directly that is a bit tricky.