© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
There does seem to be a bug in there. Couple of points:
1. we do want to enforce that the media is readonly if libvirt says it is (hence the explicit deny)
2. we don't want to grant 'w' access in one line, only to take it away in an explicit deny
3. I don't know what 'relabel' is supposed to mean in the context of apparmor
So virt-aa-helper needs to refine its logic. The referenced commit isn't the actual problem though-- that bug was about when <readonly/> was present, qemu would try to open rw but apparmor would log the harmless denial. The commit simply silenced logging for a denial that was happening anyway. This bug is about applying that deny rule at the wrong time.