Comment 13 for bug 1633207

After a bit of twiddling I found a somewhat reasonable repro with the virt-aa-helper tool.

diff -Naur yakkety-sec-dac.xml yakkety-sec-nodac.xml
--- yakkety-sec-dac.xml 2016-10-27 14:32:39.565995840 +0000
+++ yakkety-sec-nodac.xml 2016-10-27 14:32:45.097973456 +0000
@@ -60,6 +60,5 @@
       <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
     </memballoon>
   </devices>
- <seclabel type='dynamic' model='dac' relabel='yes'/>
 </domain>

So the only diff is if the dac seclabel is here or not.

$ sudo /usr/lib/libvirt/virt-aa-helper -d -r -p 0 -u libvirt-6e082f89-902c-413c-9d9e-f609089d3374 < yakkety-sec-dac.xml
virt-aa-helper: error: could not parse XML
virt-aa-helper: error: could not get VM definition

$ sudo /usr/lib/libvirt/virt-aa-helper -d -r -p 0 -u libvirt-6e082f89-902c-413c-9d9e-f609089d3374 < yakkety-sec-nodac.xml
virt-aa-helper:
/etc/apparmor.d/libvirt/libvirt-6e082f89-902c-413c-9d9e-f609089d3374.files
virt-aa-helper:
  "/var/log/libvirt/**/yakkety-sec-dac.log" w,
  "/var/lib/libvirt/qemu/domain-yakkety-sec-dac/monitor.sock" rw,
  "/var/lib/libvirt/qemu/domain--1-yakkety-sec-dac/*" rw,
  "/var/lib/libvirt/qemu/channel/target/domain--1-yakkety-sec-dac/*" rw,
  "/var/run/libvirt/**/yakkety-sec-dac.pid" rwk,
  "/run/libvirt/**/yakkety-sec-dac.pid" rwk,
  "/var/run/libvirt/**/*.tunnelmigrate.dest.yakkety-sec-dac" rw,
  "/run/libvirt/**/*.tunnelmigrate.dest.yakkety-sec-dac" rw,
  "/var/lib/uvtool/libvirt/images/yakkety-sec-dac.qcow" rw,
  "/var/lib/uvtool/libvirt/images/x-uvt-b64-Y29tLnVidW50dS5jbG91ZC5kYWlseTpzZXJ2ZXI6MTYuMTA6YW1kNjQgMjAxNjEwMjI=" r,
  "/var/lib/uvtool/libvirt/images/yakkety-sec-dac-ds.qcow" rw,
  # for qemu guest agent channel
  owner "/var/lib/libvirt/qemu/channel/target/domain-yakkety-sec-dac/**" rw,
  /dev/vhost-net rw,

New running debuild locally on xenial and yakkety libvirt to have the packaged aa-helper in a debuggable and recompilable fashion.