On 20.08.2015 09:54, intrigeri wrote: > Guido Günther wrote (19 Aug 2015 16:56:46 GMT) : >>> # for hostdev >>> /sys/devices/ r, >>> /sys/devices/** r, >>> + deny /dev/sd* r, >>> + deny /dev/vd* r, >>> + deny /dev/dm-* r, >>> + deny /dev/mapper/ r, >>> + deny /dev/mapper/* r, >> ...what is this for? We don't have this hunk upstream either. > It apparently comes from the Ubuntu delta. > > I'll try to bzr branch > https://code.launchpad.net/~ubuntu-branches/ubuntu/wily/libvirt/wily > later (likely not today) and see if there's an explanation in there. > > Felix or anyone else, feel free to be faster than me :)
That bzr tree hasn't been updated in a long while. The deny rules aren't strictly necessary but they silence those (harmless) denials. I'm not quite sure why virt-aa-helper opens the devices in the first place. We need to look into how to push this upstream. Through modifying the helper or the profile. Cheers, Felix
