Comment 44 for bug 1677398

Hi Yury,
until implemented for real adding apparmor rules for the uncommon paths are the way to go.
The difference I'd suggest to your solution is to use local overrides since they will neither prompt you nor be overwritten on updates.

This can be done in:
# allow virt-aa-helper to generate per-guest rules in an uncommon path
/etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper
# allow things for an individual guests
/etc/apparmor.d/libvirt/libvirt-<uuid>
# allow something for all guests
/etc/apparmor.d/local/abstractions/libvirt-qemu

In the particular case the best way should be an entry like
   /srv/libvirt/images/** r,
in /etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper

That is especially good since each individual guest will still only get rules added to allow "his own storage" as configured in the guest XML.
In your solution as comparison an exploited guest A could access the storage of guest B.