After a bit of twiddling I found a somewhat reasonable repro with the virt-aa-helper tool.
diff -Naur yakkety-sec-dac.xml yakkety-sec-nodac.xml --- yakkety-sec-dac.xml 2016-10-27 14:32:39.565995840 +0000 +++ yakkety-sec-nodac.xml 2016-10-27 14:32:45.097973456 +0000 @@ -60,6 +60,5 @@ <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/> </memballoon> </devices> - <seclabel type='dynamic' model='dac' relabel='yes'/> </domain> So the only diff is if the dac seclabel is here or not. $ sudo /usr/lib/libvirt/virt-aa-helper -d -r -p 0 -u libvirt-6e082f89-902c-413c-9d9e-f609089d3374 < yakkety-sec-dac.xml virt-aa-helper: error: could not parse XML virt-aa-helper: error: could not get VM definition $ sudo /usr/lib/libvirt/virt-aa-helper -d -r -p 0 -u libvirt-6e082f89-902c-413c-9d9e-f609089d3374 < yakkety-sec-nodac.xml virt-aa-helper: /etc/apparmor.d/libvirt/libvirt-6e082f89-902c-413c-9d9e-f609089d3374.files virt-aa-helper: "/var/log/libvirt/**/yakkety-sec-dac.log" w, "/var/lib/libvirt/qemu/domain-yakkety-sec-dac/monitor.sock" rw, "/var/lib/libvirt/qemu/domain--1-yakkety-sec-dac/*" rw, "/var/lib/libvirt/qemu/channel/target/domain--1-yakkety-sec-dac/*" rw, "/var/run/libvirt/**/yakkety-sec-dac.pid" rwk, "/run/libvirt/**/yakkety-sec-dac.pid" rwk, "/var/run/libvirt/**/*.tunnelmigrate.dest.yakkety-sec-dac" rw, "/run/libvirt/**/*.tunnelmigrate.dest.yakkety-sec-dac" rw, "/var/lib/uvtool/libvirt/images/yakkety-sec-dac.qcow" rw, "/var/lib/uvtool/libvirt/images/x-uvt-b64-Y29tLnVidW50dS5jbG91ZC5kYWlseTpzZXJ2ZXI6MTYuMTA6YW1kNjQgMjAxNjEwMjI=" r, "/var/lib/uvtool/libvirt/images/yakkety-sec-dac-ds.qcow" rw, # for qemu guest agent channel owner "/var/lib/libvirt/qemu/channel/target/domain-yakkety-sec-dac/**" rw, /dev/vhost-net rw, New running debuild locally on xenial and yakkety libvirt to have the packaged aa-helper in a debuggable and recompilable fashion. ** Changed in: libvirt (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1633207 Title: VM fails to start with dac security driver added To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1633207/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs