Comment 8 for bug 1678322

[ 2652.756712] audit: type=1400 audit(1491303691.719:25): apparmor="DENIED" operation="open" profile="libvirt-17a61b87-5132-497c-b928-421ac2ee0c8a" name="/dev/vfio/vfio" pid=8486 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=64055 ouid=0

Usually guides said a user who wants to provide vfio uncomment the default provided but commented cgroup_device_acl setting. I was able to confirm that even with that the case fails with the apparmor aformentioned deny.

As suggested the right solution is to add it to the base abstraction being /etc/apparmor.d/abstractions/libvirt-qemu like:
  # allow guest access to the generic base vfio interface (LP: #1678322)
  /dev/vfio/vfio rw,

The base device should be safe as it has "all but a couple version and extension query interfaces locked away" [1].

This is not new, the open on this is since 2014 in the code, so I wonder if all using that just disabled it or manually tweaked.
This part shall surely be added to the base profile

Looking into the setrlimit next.

[1]: https://www.kernel.org/doc/Documentation/vfio.txt