Comment 8 for bug 1554031

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

ok, actually I think this is simply an error in virt-aa-helper. apparmor's load_profile() should be being called before the blockcommit begins, to add rw access to the base image. Which is why the rw rule is there. But the 'deny' rule is for some reason still there.