Comment 9 for bug 1845506

I think I see what happens.
virt-aa-helper works on some intermediate content, and the labelling calls only "append" something.
This works if you e.g. hot attach one and later another device.
But on this interaction with snapshots of multiple devices they seem to work on "the same" intermediate content.
It is like:

start "A"
1. result A+B
2. result A+C (totally ignoring B being added)

And eventually we only have the last disk added as apparmor rule.
Since the overall action then fails by an apparmor denial the profile is reloaded as it was before.

I need to check how/where that interim content is stored.