Re: [libvirt] [sandbox] Weird apparmor problems

On Fri, 2015-10-30 at 09:15 +0900, Daniel P. Berrange wrote: After some more debugging and help from jjohansen, the problem happens to be this commit: http://libvirt.org/git/?p=libvirt.git;a=commit;h=d0d4b8ad76d3e8a859ee9070... When having the not-so-silly idea to mount the host / readonly in a qemu guest (like what virt-sandbox is doing), we are adding a "deny /** w" rule taking precedence over all rules giving write access to files inside that path. Would there be a clean solution for that problem? I can already teach virt-sandbox to add the host / mount only if there is nothing else to be mounted as /, but that wouldn't cover all cases. -- Cedric