Comment 14 for bug 1546674

On 2016-10-24 11:08 AM, ChristianEhrhardt wrote:
> Hi,
> unfortunately after a reboot of my host my local reproducibility is gone :-/
>
> I don't know if you could, but would like to ask if one of you think you can verify that in Yakkety or Zesty.
> The way the apparmor rules get created changed in >=Yakkety and since we have to start with the devel releases that is the place to go for the first verification.
> Still Y&Z are widely the same, so I build for both in a ppa.
>
> I build the suggested fix (along another one) in https://launchpad.net/~paelzer/+archive/ubuntu/libvirt-bug-1546674-1615550/+packages.
> It would be great of one of you could test it there.

Thanks for providing this testing PPA. I was able to test the Yakkety
version of your package. With it, I get the following Apparmor messages
(also attached here):

apparmor="DENIED" operation="open"
profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/zd0" pid=3357
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="open" profile="libvirt-UUID"
name="/proc/3374/task/3391/comm" pid=3374 comm="qemu-system-x86"
requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
...
apparmor="DENIED" operation="open" profile="libvirt-UUID"
name="/proc/3374/task/3414/comm" pid=3413 comm="qemu-system-x86"
requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111

So while the /dev/zd0 denial was expected, the /proc/$pid/task/$pid/comm
ones were not. To address those, I applied the patch attached.