The profile="unconfined" in the following line from the logs just means that the process which loaded the new profile is unconfined. The apparmor="STATUS" operation="profile_load" log entries are from the initscript or upstart scripts when they are loading the profiles before executing the program.
audit: type=1400 audit(1432447057.243:13): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/evince- thumbnailer" pid=447 comm="apparmor_parser" If the process loading policy were confined (I believe this is allowed, so long as the process has capability MAC_ADMIN in its policy and has this capability natively) then the confining profile would have been reported here, instead of "unconfined". The important part to remember is that the log events reflect the process that is performing the operation. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1458288 Title: Some exec appeair on kern.log but on apparmor_status not. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1458288/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
