Hi,
On Mon, Jun 06, 2016 at 12:47:08PM +0200, intrigeri wrote:
> Control: tag -1 + upstream
> Control: tag -1 - moreinfo
>
> Hi,
>
> Guido Günther wrote (06 Jun 2016 06:33:45 GMT) :
> > It's "good enough" for debugging on a test system.
> > Incredibly helpful, thanks!
>
> Thanks upstream folks for helping :) I'm also glad that the root cause
> of the problem was identified and a patch submitted to
> upstream libvirt.
>
> My understanding is that the required debugging features are either
> already there (though hard to find), or planned for implementation in
> upstream AppArmor. Guido, what do you think we should do about this
> bug report now? Downgrade to normal severity and retitle to track
> upstream progress of the planned improvements, perhaps? Or just close
> because it's actually "good enough" as-is?
I'm all for downgrading and retitling. The information provided by upstream
(thanks for that!) is too valuable to let it go to the bts archive as of yet.
I wouldn't have filed a bug if:
* The manpage would have mentioned that deny rules are still enforced
(and don't print anything) in the aa-complain manpage. Christian
added a note on this at
https://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3482?start_revid=3482
* The manpage would have redirected me to a page that lists the other
nice commands mentioned by John
This informaton should IMHO go into upstream manpages / documentation
and be linked to from the various manpages one steps on first
(aa-complain, ...) in order to hopefully help people along to debug
things.
For the time being I dumpted things here:
https://honk.sigxcpu.org/piki/development/apparmor-debugging/
Cheers,
-- Guido
