Suspecting this had something to do with the flock and mmap mediation fixes, I tried the reproducer with an updated 16.04 kernel (4.4.0-77.98-generic). This fixes the file_mmap denial, but we still have a file_mprotect 'r' denial:
I'm not sure if this indicates a bug in the apparmor policy or apparmor itself. If the policy, adjusting /etc/apparmor.d/usr.sbin.cups-browsed to have:
FYI, http:// bazaar. launchpad. net/~apparmor- dev/apparmor/ master/ revision/ 3658 fixes the /run/systemd/ journal/ stdout denials. It seems like the real cause of this bug is this denial:
[95224.610046] audit: type=1400 audit(148423017 8.466:1014) : apparmor="DENIED" operation= "file_mmap" namespace= "root// lxd-xen_ <var-lib- lxd>" profile= "/usr/sbin/ cups-browsed" name="/ usr/sbin/ cups-browsed" pid=17765 comm="cups-browsed" requested_mask="rm" denied_mask="rm" fsuid=100000 ouid=100000
Suspecting this had something to do with the flock and mmap mediation fixes, I tried the reproducer with an updated 16.04 kernel (4.4.0- 77.98-generic) . This fixes the file_mmap denial, but we still have a file_mprotect 'r' denial:
[ 825.339262] audit: type=1400 audit(149390865 4.440:86) : apparmor="DENIED" operation= "file_mprotect" namespace= "root// lxd-xen_ <var-lib- lxd>" profile= "/usr/sbin/ cups-browsed" name="/ usr/sbin/ cups-browsed" pid=14249 comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=165536 ouid=165536
I'm not sure if this indicates a bug in the apparmor policy or apparmor itself. If the policy, adjusting /etc/apparmor. d/usr.sbin. cups-browsed to have:
/usr/ sbin/cups- browsed r,
resolves the issue.