Comment 1 for bug 1752361

Test notes:

test file:
<domain type='kvm'>
    <name>symlink-test</name>
    <uuid>deadbeef-dead-beef-dead-beefdeadbeef</uuid>
    <memory unit='KiB'>1048576</memory>
    <vcpu>1</vcpu>
    <os>
        <type arch='x86_64'>hvm</type>
        <boot dev='hd'/>
    </os>
    <devices>
        <disk type='file' device='disk'>
            <driver name='qemu' type='qcow2'/>
            <source file='/var/run/symlinkdisk'/>
            <target dev='hda' bus='ide'/>
            <address type='drive' controller='0' bus='0' target='0' unit='0'/>
        </disk>
        <interface type='vhostuser'>
            <model type='virtio'/>
            <source type='unix' path='/var/run/symlinknet' mode='server'/>
        </interface>
        <channel type='unix'>
            <source mode='bind' path='/var/run/symlinksocket'/>
            <target type='virtio' name='org.qemu.guest_agent.0'/>
        </channel>
    </devices>
</domain>

And /var/run being a symlink to /run (as it is by default in Ubuntu)
$ readlink /var/run
/run

Without fix that creates:
$ ./src/virt-aa-helper -u libvirt-deadbeef-dead-beef-dead-beefdeadbeef -r --dryrun < /tmp/symlink-test.xml
/etc/apparmor.d/libvirt/libvirt-deadbeef-dead-beef-dead-beefdeadbeef.files
[...]
  "/var/run/symlinkdisk" rwk,
  "/var/run/symlinksocket" rw,
  "/var/run/symlinknet" rw,
[...]

None of the rules have any effect due to apparmor checking is vs /run/... (the resolved symlink).