To really be worth the "confirmed" I also checked the zfs case.
# create most basic zfs on the LV (because it had free space)
sudo zpool create -f zfsp1 /dev/mapper/testvg-testlv--forzfs
sudo zfs create -ps -V 10G zfsp1/zfsvol1
# which gives me
/dev/zvol/zfsp1/zfsvol1 -> /dev/zd0
Added the matching XML
<disk type='file' device='disk'>
<driver name='qemu' type='raw' cache='none'/>
<source file='/dev/zvol/zfsp1/zfsvol1'/>
<target dev='vde' bus='virtio'/>
</disk>
# Got just like you the zfs deny:
[2165239.463108] audit: type=1400 audit(1479809919.223:4083): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/zd0" pid=16715 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Seeing that I expect any kind of special /dev might be affected. Thinking of special architectures like /dev/dasd on s390x.
I'd need to find where in the current profiles e.g. LVM is covered to add it there.
Waiting for Simon to answer the questions I outlined before.
To really be worth the "confirmed" I also checked the zfs case.
# create most basic zfs on the LV (because it had free space) testvg- testlv- -forzfs zvol/zfsp1/ zfsvol1 -> /dev/zd0
sudo zpool create -f zfsp1 /dev/mapper/
sudo zfs create -ps -V 10G zfsp1/zfsvol1
# which gives me
/dev/
Added the matching XML dev/zvol/ zfsp1/zfsvol1' />
<disk type='file' device='disk'>
<driver name='qemu' type='raw' cache='none'/>
<source file='/
<target dev='vde' bus='virtio'/>
</disk>
# Got just like you the zfs deny: 9.223:4083) : apparmor="DENIED" operation="open" profile= "/usr/lib/ libvirt/ virt-aa- helper" name="/dev/zd0" pid=16715 comm="virt- aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[2165239.463108] audit: type=1400 audit(147980991
Seeing that I expect any kind of special /dev might be affected. Thinking of special architectures like /dev/dasd on s390x.
I'd need to find where in the current profiles e.g. LVM is covered to add it there.
Waiting for Simon to answer the questions I outlined before.