systemd offers to create dynamic (and semi-stable) users for services. This causes many services using Apparmor profiles to trigger those denials (even when they don't use the DynamicUser feature):
audit: type=1107 audit(1585076282.591:30): pid=621 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=709 label="/usr/sbin/squid" peer_pid=1 peer_label="unconfined"
And more recently with systemd 245 this also get shown:
audit: type=1400 audit(1585139000.628:39): apparmor="DENIED" operation="open" profile="/usr/sbin/squid" name="/run/systemd/userdb/" pid=769 comm="squid" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
systemd offers to create dynamic (and semi-stable) users for services. This causes many services using Apparmor profiles to trigger those denials (even when they don't use the DynamicUser feature):
audit: type=1107 audit(158507628 2.591:30) : pid=621 uid=103 auid=4294967295 ses=4294967295 msg='apparmor= "DENIED" operation= "dbus_method_ call" bus="system" path="/ org/freedesktop /systemd1" interface= "org.freedeskto p.systemd1. Manager" member= "GetDynamicUser s" mask="send" name="org. freedesktop. systemd1" pid=709 label=" /usr/sbin/ squid" peer_pid=1 peer_label= "unconfined"
And more recently with systemd 245 this also get shown:
audit: type=1400 audit(158513900 0.628:39) : apparmor="DENIED" operation="open" profile= "/usr/sbin/ squid" name="/ run/systemd/ userdb/ " pid=769 comm="squid" requested_mask="r" denied_mask="r" fsuid=0 ouid=0