$ dmesg | grep audit [ 6046.037322] type=1505 audit(1269377190.495:54): operation="profile_load" pid=17852 name="libvirt-a4294a0d-a75a-a377-ddcd-7e35d5720815" [ 6046.144800] type=1503 audit(1269377190.606:55): operation="open" pid=17858 parent=1 profile="libvirt-a4294a0d-a75a-a377-ddcd-7e35d5720815" requested_mask="::r" denied_mask="::r" fsuid=0 ouid=1000 name="/home/myself/.Xauthority" [ 6046.145062] type=1503 audit(1269377190.606:56): operation="open" pid=17858 parent=1 profile="libvirt-a4294a0d-a75a-a377-ddcd-7e35d5720815" requested_mask="::r" denied_mask="::r" fsuid=0 ouid=1000 name="/home/myself/.Xauthority" [ 6046.145147] type=1503 audit(1269377190.606:57): operation="open" pid=17858 parent=1 profile="libvirt-a4294a0d-a75a-a377-ddcd-7e35d5720815" requested_mask="rw::" denied_mask="rw::" fsuid=0 ouid=0 name="/dev/fb0" [ 6046.145190] type=1503 audit(1269377190.606:58): operation="open" pid=17858 parent=1 profile="libvirt-a4294a0d-a75a-a377-ddcd-7e35d5720815" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/proc/17858/cmdline" [ 6046.147198] type=1503 audit(1269377190.606:59): operation="open" pid=17858 parent=1 profile="libvirt-a4294a0d-a75a-a377-ddcd-7e35d5720815" requested_mask="rw::" denied_mask="rw::" fsuid=0 ouid=0 name="/dev/fb0" [ 6076.374039] type=1505 audit(1269377220.835:60): operation="profile_remove" pid=18209 name="libvirt-a4294a0d-a75a-a377-ddcd-7e35d5720815" namespace="root"
So the first step would be to add the xauth="XXX" path to the domains profile definition. And additionally /dev/fb* for DirectFB fallback, if no X environment is available.
$ dmesg | grep audit 0.495:54) : operation= "profile_ load" pid=17852 name="libvirt- a4294a0d- a75a-a377- ddcd-7e35d57208 15" 0.606:55) : operation="open" pid=17858 parent=1 profile= "libvirt- a4294a0d- a75a-a377- ddcd-7e35d57208 15" requested_ mask=": :r" denied_mask="::r" fsuid=0 ouid=1000 name="/ home/myself/ .Xauthority" 0.606:56) : operation="open" pid=17858 parent=1 profile= "libvirt- a4294a0d- a75a-a377- ddcd-7e35d57208 15" requested_ mask=": :r" denied_mask="::r" fsuid=0 ouid=1000 name="/ home/myself/ .Xauthority" 0.606:57) : operation="open" pid=17858 parent=1 profile= "libvirt- a4294a0d- a75a-a377- ddcd-7e35d57208 15" requested_ mask="rw: :" denied_mask="rw::" fsuid=0 ouid=0 name="/dev/fb0" 0.606:58) : operation="open" pid=17858 parent=1 profile= "libvirt- a4294a0d- a75a-a377- ddcd-7e35d57208 15" requested_ mask="r: :" denied_mask="r::" fsuid=0 ouid=0 name="/ proc/17858/ cmdline" 0.606:59) : operation="open" pid=17858 parent=1 profile= "libvirt- a4294a0d- a75a-a377- ddcd-7e35d57208 15" requested_ mask="rw: :" denied_mask="rw::" fsuid=0 ouid=0 name="/dev/fb0" 0.835:60) : operation= "profile_ remove" pid=18209 name="libvirt- a4294a0d- a75a-a377- ddcd-7e35d57208 15" namespace="root"
[ 6046.037322] type=1505 audit(126937719
[ 6046.144800] type=1503 audit(126937719
[ 6046.145062] type=1503 audit(126937719
[ 6046.145147] type=1503 audit(126937719
[ 6046.145190] type=1503 audit(126937719
[ 6046.147198] type=1503 audit(126937719
[ 6076.374039] type=1505 audit(126937722
So the first step would be to add the xauth="XXX" path to the domains profile definition. And additionally /dev/fb* for DirectFB fallback, if no X environment is available.