[apparmor] base abstraction for writing to systemd dev-log doesn't work

Mark Wadham ubuntu at rkw.io
Mon Jul 25 13:26:11 UTC 2016


I've been trying to configure apparmor for dovecot, but I keep getting 
messages like this:

[130842.572874] audit: type=1400 audit(1469436340.177:2400): 
apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup - 
disconnected path" error=-13 profile="/usr/sbin/dovecot" 
name="run/systemd/journal/dev-log" pid=23971 comm="dovecot" 
requested_mask="w" denied_mask="w" fsuid=0 ouid=0

The dovecot profiles all include the base abstractions 
(/etc/apparmor.d/abstractions/base) which includes this:

   /{,var/}run/systemd/journal/dev-log w,

and it seems even if I add this explicitly to the dovecot profiles they 
still can't write to the dev-log.  Is this a bug or am I doing something 

Also while I'm here, if you have a wrapper script around an application 
in order to ensure it restarts if it dies, is there a way to configure 
apparmor so that /bin/bash is allowed for the wrapper script but not for 
the process it's wrapping?


More information about the AppArmor mailing list