Comment 55 for bug 1246929

the emulated HDA works fine in Windows 7 VM using the above, with proviso that I run VM as root, ie.
/etc/libvirt/qemu.conf includes (in my case, which works)
user = "root"
group = "root"
cgroup_device_acl = [
    "/dev/null", "/dev/full", "/dev/zero",
    "/dev/random", "/dev/urandom",
    "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
    "/dev/rtc","/dev/hpet", "/dev/vfio/vfio",
    "/dev/vfio/1", "/dev/vfio/14", "/dev/vfio/15", "/dev/vfio/16", "/dev/vfio/17",
    "/dev/shm", "/root/.config/pulse", "/dev/snd",
]
nographics_allow_host_audio = 1
security_require_confined = 0
hugetlbfs_mount = "/dev/hugepages"
clear_emulator_capabilities = 0
relaxed_acs_check = 1

If using VNC rather than Spice, you may also need
vnc_allow_host_audio = 1

and /etc/apparmor.d/abstractions/libvirt/qemu contains the following additional lines (in my case)
  /{dev,run}/shm/pulse-shm* rw,
  @{HOME}/.config/puls** rwk,
  @{HOME}/** r,
  /root/.config/puls** rwk,
  /root/.asoundrc r,
  /dev/vfio/* rw,

This works nicely with a Windows 7 guest using the following xml (where a graphics card is apssed through at 01:00.0 and a USB card is passed at 02:00.0, note that the inbuilt audio device on the graphics card is NOT passed through i'ts still attached to pci-stub)
!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
  virsh edit ssd-win7
or other application using the libvirt API.
-->

<domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
  <name>ssd-win7</name>
  <uuid>92faa169-292a-4086-a398-31df57266eb1</uuid>
  <memory unit='KiB'>6291456</memory>
  <currentMemory unit='KiB'>6291456</currentMemory>
  <vcpu placement='static'>2</vcpu>
  <os>
    <type arch='x86_64' machine='pc-q35-2.0'>hvm</type>
    <loader>/mnt/programming_data/virtualisation/bios/bios.bin</loader>
    <boot dev='hd'/>
    <bootmenu enable='yes'/>
  </os>
  <features>
    <acpi/>
    <hyperv>
      <relaxed state='on'/>
      <vapic state='on'/>
      <spinlocks state='on' retries='4096'/>
    </hyperv>
  </features>
  <cpu mode='custom' match='exact'>
    <model fallback='allow'>Haswell</model>
    <topology sockets='1' cores='2' threads='1'/>
  </cpu>
  <clock offset='localtime'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <emulator>/usr/bin/qemu-system-x86_64</emulator>
    <disk type='block' device='disk'>
      <driver name='qemu' type='raw'/>
      <source dev='/dev/ssd-virt/lvwin7_kvm'/>
      <target dev='vda' bus='virtio'/>
      <address type='pci' domain='0x0000' bus='0x02' slot='0x04' function='0x0'/>
    </disk>
    <controller type='usb' index='0'>
      <address type='pci' domain='0x0000' bus='0x02' slot='0x03' function='0x0'/>
    </controller>
    <controller type='sata' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
    </controller>
    <controller type='pci' index='0' model='pcie-root'/>
    <controller type='pci' index='1' model='dmi-to-pci-bridge'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x1e' function='0x0'/>
    </controller>
    <controller type='pci' index='2' model='pci-bridge'>
      <address type='pci' domain='0x0000' bus='0x01' slot='0x01' function='0x0'/>
    </controller>
    <interface type='user'>
      <mac address='00:00:00:0a:5b:2c'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x02' slot='0x01' function='0x0'/>
    </interface>
    <input type='tablet' bus='usb'/>
    <sound model='ac97'>
      <address type='pci' domain='0x0000' bus='0x02' slot='0x02' function='0x0'/>
    </sound>
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x02' slot='0x05' function='0x0'/>
    </memballoon>
  </devices>
  <qemu:commandline>
    <qemu:arg value='-rtc'/>
    <qemu:arg value='base=localtime'/>
    <qemu:arg value='-nodefconfig'/>
    <qemu:arg value='-device'/>
    <qemu:arg value='nec-usb-xhci,id=xhci'/>
    <qemu:arg value='-spice'/>
    <qemu:arg value='port=5902,disable-ticketing'/>
    <qemu:arg value='-device'/>
    <qemu:arg value='ioh3420,bus=pcie.0,addr=1c.0,multifunction=on,port=1,chassis=1,id=root.1'/>
    <qemu:arg value='-device'/>
    <qemu:arg value='ioh3420,bus=pcie.0,addr=1c.1,multifunction=on,port=2,chassis=2,id=root.2'/>
    <qemu:arg value='-device'/>
    <qemu:arg value='ich9-intel-hda,bus=root.2'/>
    <qemu:arg value='-device'/>
    <qemu:arg value='hda-duplex,bus=hda.0'/>
    <qemu:arg value='-device'/>
    <qemu:arg value='usb-ehci,id=ehci'/>
    <qemu:arg value='-device'/>
    <qemu:arg value='vfio-pci,host=01:00.0,bus=root.1,addr=00.0,multifunction=on,x-vga=on'/>
    <qemu:arg value='-device'/>
    <qemu:arg value='vfio-pci,host=02:00.0,bus=pcie.0'/>
    <qemu:arg value='-device'/>
    <qemu:arg value='ahci,bus=pcie.0,id=ahci'/>
    <qemu:env name='DISPLAY' value=':0'/>
    <qemu:env name='QEMU_ALSA_DAC_BUFFER_SIZE' value='512'/>
    <qemu:env name='QEMU_ALSA_DAC_PERIOD_SIZE' value='100'/>
    <qemu:env name='QEMU_AUDIO_DRV' value='alsa'/>
  </qemu:commandline>
</domain>

If you'd rather grant access at the VM level you can update the apparmor entries in /etc/apparmor.d/libvirt/libivrt-<uuid>
What worked best for me was to create a new permissions file based on the "libvirt-<uuid>.files" entry which was autmatically generated. The new file contains the following
# Added by R E to support use of VFIO.
  "/dev/vfio/*" rw,
# Needed for ALSA sound (based on error messages about not having access).
  "/dev/shm/pulse-shm*" rwk,
  "/run/shm/pulse-shm*" rwk,
  "/root/.config/puls**" rwk,
  "/root/.asoundrc" r,
# Rather than specifying individual files, allow the whole directory
  "/mnt/programming_data/isos/**" r,
# don't audit writes to readonly files
  deny "/mnt/programming_data/isos/**" w,

Then add a pointer to that file in the master at "libvirt-<uuid>" ie. to look like this (see the last entry, the file which i created)

#
# This profile is for the domain whose UUID matches this file.
#

#include <tunables/global>

profile libvirt-c1a86cb2-82b4-4db9-89c2-ced5be57b39e {
  #include <abstractions/libvirt-qemu>
  #include <libvirt/libvirt-c1a86cb2-82b4-4db9-89c2-ced5be57b39e.files>
  #include <libvirt/libvirt-c1a86cb2-82b4-4db9-89c2-ced5be57b39e.files_re>

}

For some reason, when I do the same for a Ubuntu Trusty VM it initially worked but now shows a "device busy" error for some reason, which i'm unable to overcome - even though a Windows VM operating in exactly the same manner works fine. Arcane magic involved - sacrifice may be required
Both the AC97 and the HDA devices work on Windows ie. go into Control Panel / Sound and select one, run a test and it works fine. Neither of them is a PCI pasthrough card. As it happens I have a separate USB soundcard I can use in Windows because it's attached to the USB controller with is passed through via PCI passthrough, but that's a spearate story.

In my situation, the host is Ubuntu Trusty running kvm, qemu, libvirt and virt-manager from the standard repos. The kernel is patched to support VGA passthrough (mostly to deal with Intel graphics poor handling of VGA arbitration)

Have you tried this arrangement ?