Comment 3 for bug 1236455

I made some slight adjustments to test.sh and found that the sha1 of the loaded profile changes after reloading:

# ./test.sh
usr.bin.serge.allow loaded, sha1 7e932d334f64e154a8749ded59787ce0f5dc0785
usr.bin.serge.deny loaded, sha1 7045ef3e6721273fdb0bc8e556f4dd8b7136a7d7
failed

The audit messages logged at the same time:
type=AVC msg=audit(1383780124.809:900): apparmor="STATUS" operation="profile_load" parent=14173 profile="unconfined" name="/usr/bin/serge" pid=14176 comm="apparmor_parser"
type=SYSCALL msg=audit(1383780124.809:900): arch=c000003e syscall=1 success=yes exit=16785 a0=5 a1=ab8f00 a2=4191 a3=7fff0ec3b4c0 items=0 ppid=14173 pid=14176 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts7 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null)
type=AVC msg=audit(1383780124.913:901): apparmor="STATUS" operation="profile_replace" parent=14173 profile="unconfined" name="/usr/bin/serge" pid=14188 comm="apparmor_parser"
type=SYSCALL msg=audit(1383780124.913:901): arch=c000003e syscall=1 success=yes exit=16953 a0=5 a1=1b58f00 a2=4239 a3=7fff4b63f570 items=0 ppid=14173 pid=14188 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts7 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null)

Add these two lines after the first apparmor_parser load:
printf "usr.bin.serge.allow loaded, sha1 "
cat /sys/kernel/security/apparmor/policy/profiles/usr.bin.serge.*/sha1

Add these two lines after the second apparmor_parser load:
printf "usr.bin.serge.deny loaded, sha1 "
cat /sys/kernel/security/apparmor/policy/profiles/usr.bin.serge.*/sha1

So I think this rules out caching inconsistencies.