Comment 6 for bug 1227912

I have just encounter this problem in Ubuntu 14.04.1. Here's a workaround:

# cd /var/lib/libvirtd/qemu
# mkdir -p channel/target
# chown -R libvirt-qemu:kvm channel/

(The path above is used by libvirt-manager when you create the channel.)

In /etc/apparmor.d/abstractions/libvirt-qemu at the end add:

"/var/lib/libvirt/**/*.org.qemu.guest_agent.0" rwk,

(Reload apparmor profiles).

The line in libvirt-qemu could be generated in the domain specific file by virt-aa-helper to exactly match the name of the domain, but I cannot see a high security risk in being a bit unspecific here (allows one qemu to access the socket of another qemu).