Public bug reported: >From the ML: virsh blockcommit is invoked this leads to:
1.) qemuDomainBlockCommit -> 2.) qemuDomainDiskChainElementPrepare -> 3.) qemuSecuritySetImageLabel -> 4.) AppArmorSetSecurityImageLabel (triggers profile reload only) -> 5.) virt-aa-helper does the profile reload -> 6.) failure since the image has an explicit deny rule The path in question tries to fix this at 5.) by not adding a deny write rule at all but the place to fix this is 4.) since AppArmorSetSecurityImageLabel does not take the virStorageSourcePtr src element into account to create a virDomainDefPtr based on def that marks the image in question as 'rw' but "only" reloads the profile. Full discussion: https://www.redhat.com/archives/libvir-list/2017-May/msg00442.html For now we will keep the delta as-is, but mid term a proper extension to virt-aa-helper would be the right way ** Affects: libvirt (Ubuntu) Importance: Undecided Status: Confirmed ** Tags: virt-aa-helper ** Changed in: libvirt (Ubuntu) Status: New => Confirmed ** Tags added: virt-aa-helper -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1692441 Title: proper code for virt-aa-helper to allow blockcommit rw as needed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1692441/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
