Comment 2 for bug 1641618

To really be worth the "confirmed" I also checked the zfs case.

# create most basic zfs on the LV (because it had free space)
  sudo zpool create -f zfsp1 /dev/mapper/testvg-testlv--forzfs
  sudo zfs create -ps -V 10G zfsp1/zfsvol1
# which gives me
  /dev/zvol/zfsp1/zfsvol1 -> /dev/zd0

Added the matching XML
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw' cache='none'/>
      <source file='/dev/zvol/zfsp1/zfsvol1'/>
      <target dev='vde' bus='virtio'/>
    </disk>

# Got just like you the zfs deny:
[2165239.463108] audit: type=1400 audit(1479809919.223:4083): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/zd0" pid=16715 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Seeing that I expect any kind of special /dev might be affected. Thinking of special architectures like /dev/dasd on s390x.
I'd need to find where in the current profiles e.g. LVM is covered to add it there.
Waiting for Simon to answer the questions I outlined before.