Comment 1 for bug 1641618

Hi Simon,
those changes (the whole part after "/sys/devices/** r,") never made it upstream and was actually dropped in the merge of libvirt 2.x for Yakkety.
Maybe that also moved and this is "only" needed in Xenial and actually fixed in >=Yakkety already?

And looking back - nobody complained on the yakkety merge that smb did - hrm ..?
Eventually (like some day) we want to get rid of apparmor delta and that was one step.

I also checked History backwards but things are a bit lost since for some time Ubuntu was ahead of Debian before switching to the more usual setup.
I almost couldn't find the past but I realized you know the history of this - as I found bug 912007 from you of 2012.

I checked a Yakkety that I had around which did not have the denies as I outlined before.
So following the old bug content I realized it might need special devices. So to reproduce on Yakkety (what I just had around) I added disks on lvm and nvme to see if I can find it:

    <disk type='file' device='disk'>
      <driver name='qemu' type='raw' cache='none'/>
      <source file='/dev/mapper/testvg-testlv'/>
      <target dev='vdc' bus='virtio'/>
    </disk>
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw' cache='none'/>
      <source file='/dev/nvme0n1'/>
      <target dev='vdd' bus='virtio'/>
    </disk>

The LV was silent - although I failed to see what was done in the profile for it.
The nveme I found and I think that is because it is new and not covered yet, the same way zfs might not be there yet. I need to find the spot that makes the "ok" to the LVM as this is clearly the place to add it on newer versions.

Simon:
- Can you describe the "noise" it makes to you?
- Having the old rules you were on Xenial right?
- Does it match what I found?
- The old bug only has "Per discussion on irc, I'll add a deny rule to usr.lib.libvirt.virt-aa-helper", but I don't really get why it is a deny and not an allow - could you elaborate on that?