alias rules being only partially applied

As reported by Christian Boltz

alias rules broken for /{,var/}run/

Hello,

lots of profiles contain rules for /{,var/}run/ nowadays.

Unfortunately that breaks if /var is a symlink (to /home/sys-var in my
case) even if a correct alias rule is setup.

I'll paste the details from #apparmor:

[22:00] <cboltz> I get unexpected DENIED events in combination with aliases:
[22:00] <cboltz> apparmor="DENIED" operation="mkdir" parent=1 profile="/usr/sbin/avahi-daemon" name="/home/sys-var/run/avahi-daemon/" pid=14842 comm="avahi-daemon" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[22:00] <cboltz> but I have in tunables/alias
[22:01] <cboltz> alias /var/ -> /home/sys-var/,
[22:01] <cboltz> and the profile for avahi-daemon allows write access to /var/run/avahi-daemon/ (original profile as in bzr)
[22:01] <cboltz> is this a known or a new bug?
[22:52] <sbeattie> cboltz: sorry, jjohansen and I are at the Ubuntu Developer Summit this week, so we're bouncing on and off irc.
[22:53] <sbeattie> cboltz: not a known bug to me
[22:54] <cboltz> then it must be a new one
[22:56] <cboltz> I just found what causes it
[22:57] <sbeattie> cboltz: oh?
[22:57] <cboltz> /{,var/}run/avahi-daemon/ w, fails the alias replacement
[22:57] <cboltz> /var/run/avahi-daemon/ w, works
[23:00] <sbeattie> doh
[23:01] <sbeattie> that's a result of aliases being more like a pre-processing step than a real semantic change.
[23:02] <cboltz> looks like it should be a real semantic change *g*
[23:03] <sbeattie> Feel free to raise the issue on the list or file a bug, though I'm not sure that it'd be an easy thing to address.
[23:03] <cboltz> I'll send a mail
[23:04] <sbeattie> cool, thanks!
[23:04] <cboltz> just tell John that I found a bug again, and then enjoy the developer summit
[23:04] <sbeattie> hehe
[23:06] * sbeattie vanishes again