Comment 4 for bug 1786159

I disagree that blanket access to /tmp should be allowed since it breaks application isolation (see https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/comments/12). Perhaps a better compromise would be to change this:

  # allow access to charm-specific ceph config and silence spurious
  # denials (LP: #1403648).
  /var/lib/charm/*/ceph.conf r,
  deny /tmp/{,**} r,
  deny /var/tmp/{,**} r,

to:

  # allow access to charm-specific ceph config and allow reads
  # on the /tmp directories to silence spurious denials without
  # breaking additional rules (LP: #1403648, LP: #1786159).
  /var/lib/charm/*/ceph.conf r,
  /{,var/}tmp/ r,
  owner /{,var/}tmp/**/ r,

At this point, people are free to add:

  owner /tmp/qemu-smb.*/{,**} rw,

The question then becomes, is the smb functionality in the domain xml in a way that virt-aa-helper can query it at all? Apparently, it is not so I feel it is unreasonable to put it in the default libvirt policy. People can modify /etc/apparmor.d/abstractions/libvirt-qemu for this site-specific addition.