Stumbled upon this problem, tried something along these lines:
- At one console:
# journalctl -b -k -e -f > /var/tmp/aa-whatever.log
- At another:
# aa-genprof -f /var/tmp/aa-whatever.log /usr/bin/whatever
- At yet another - actually run the app and exercise it.
In the result, the file is full of audit messages regarding the app, but it
appears that aa-genprof expects them to be in some syslog-specific format, so
pressing 'S' in it yields no events, and when one presses 'F' to exit, the app
being profiled is left in a malfunctioning state as apparently everything is
now denied for it.
Removing the generated profile and restarting apparmor does not fix the
problem; in my case only rebooting helps.
