Comment 9 for bug 1680386

There are two ways to allow qemu to access something.
1. globally through the abstraction in /etc7apparmor.d/abstractions/libvirt-qemu
   That is for paths ALL qemu/geusts are supposed to use like /dev/kvm
2. per guest files generated based on the XML description in /etc/apparmor.d/libvirt/libvirt-<uuid>.files
   If you need paths like /sys/bus/pci/devices/0009:03:00.0/devspec to be accessible you should consider if you can derive the path from the XML and then let virt-aa-helper write a rule for it so that the guest can do so.

Finally later in the guest lifecycle further rules will be added via the labeling calls in the security code. E.g. if you add a device libvirt calls a set label function and this will add the new ruls (like for hotplug).
For the latter see virAppArmorSecurityDriver in src/security/security_apparmor.c