Comment 8 for bug 1554031

ok, actually I think this is simply an error in virt-aa-helper. apparmor's load_profile() should be being called before the blockcommit begins, to add rw access to the base image. Which is why the rw rule is there. But the 'deny' rule is for some reason still there.