One aspect of AppArmor IPC mediation is a "crosscheck" that requires a sending domain to have policy to allow sending and also requires the receiver to have policy to allow receiving. If either one fails, then the operation is failed as early as possible. (I'm not entirely sure how I would expect it to show up in the logs when they aren't in the same namespace, but this feels about what I would expect.)
Perhaps the Unix Domain Socket changes in newer versions of AppArmor require changes to the policy? I have a vague memory that previous versions of AppArmor allow file rules to give access to unix domain sockets in the filesystem but newer versions of AppArmor require explicit unix rules. (Worse yet, don't know what to add to the rsyslog policy to allow this access.) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2123821 Title: bad restriction: apparmor="DENIED" [...] namespace="root//lxd-n_<var- snap-lxd-common-lxd>" profile="rsyslogd" name="/run/systemd/journal/dev-log" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2123821/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
