Comment 17 for bug 578527

Roman Yepishev (rye) wrote :

As I can see on my installation the following happens:

requested_mask="r::" denied_mask="r::"

but

virt-aa-helper.c:
    865 for (i = 0; i < ctl->def->nserials; i++)
    866 if (ctl->def->serials[i] && ctl->def->serials[i]->data.file.path)
    867 if (vah_add_file(&buf,
    868 ctl->def->serials[i]->data.file.path, "w") != 0)
    869 goto clean;
    870
    871 if (ctl->def->console && ctl->def->console->data.file.path)
    872 if (vah_add_file(&buf, ctl->def->console->data.file.path, "w") != 0)
    873 goto clean;

so apparmor profiles contain e.g. /dev/ttyS0 w, which allows writing to the file, but not reading :-/