Comment 5 for bug 1833040

As I assumed easily reproducible

[ 7152.173377] audit: type=1400 audit(1560925171.038:439): apparmor="DENIED" operation="file_r50-221da1d95974" pid=18422 comm="qemu-system-x86" family="unix" sock_type="stream" protocol=0 "

Compared to other denies this is really rather low on extra qualifiers - I see why you just added "unix," for now :-/

We used to have this for the past few releases:
  unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),

The peer detection is gone now, I have now good idea why, but essentially for libvirt 4.0 we have to trim the rule to
  unix (send, receive) type=stream addr=none,

Which still a rather (too) open rule.

Further I have realized that your systems (which are Eoan, while I'm eoan LXD on Bionic+HWE 4.18) actually detect a peer, but with the path changed.
- kernel 5.0.0-16 (Eoan) peer="libvirtd"
- kernel 4.18 (Bionic + HWE) no peer detected
- older libvirt peer=(label=/usr/sbin/libvirtd)

I started a discussion in #security
if nothing comes back I'll set jdstrand to CC anyway when submitting something upstream, maybe he has an idea why the peer detection was changed.