Comment 1 for bug 1815910

Hi Daniel,
thank you for your report and your help making Ubuntu better.

Your workaround is exactly the right way flag your system for your special local configuration.
In later releases there is a file at:
  /etc/apparmor.d/local/abstractions/libvirt-qemu
Which shall help to add a rule without conflicts on conffiles at package updates.

I assume that you have started the domain without any vhost-net device, but then hotplugged one.
The rule for /dev/vhost-net is added on guest definition if a network device has VIR_DOMAIN_NET_BACKEND_TYPE_QEMU and virDomainNetIsVirtioModel.

That means if you start without any such device it won't be added at startup and late rat hotplug you hit the reported error.

I'd need to check if any of the relabeling calls that we have registered at virAppArmorSecurityDriver could be made detecting a vhost device and adding that path in addition to what it was actually called for - maybe the FD for the vhost-dev gets a labeling call?

For now please confirm my assumption on your setup before I hunt a red herring in the code :-)