Comment 1 for bug 891472

This should work if you add the following to /etc/apparmor.d/bin/usr.sbin.libvirtd (under the '/usr/bin/* PUx' rule):
  /etc/libvirt/hooks/* ix,

Hooks are called by the trusted libvirtd daemon, not by the AppArmor protected guests so this rule is safe to add to the AppArmor profile as libvirtd is expected to run (essentially) unconfined.