I don't see the following step from the Test Case performed in comment #20. Was it?
4) check kernel logs for DENIED $ journalctl -o cat -b0 -k | grep 'apparmor="DENIED"' | grep -F 'profile="/usr/sbin/named"'
or, depending on how logging is configured:
$ dmesg | grep 'apparmor="DENIED"' | grep -F 'profile="/usr/sbin/named"'
Step 4, should not return anything. Because systemd is involved in the user/group lookups, it currently returns the following:
I don't see the following step from the Test Case performed in comment #20. Was it?
4) check kernel logs for DENIED "/usr/sbin/ named"'
$ journalctl -o cat -b0 -k | grep 'apparmor="DENIED"' | grep -F 'profile=
or, depending on how logging is configured:
$ dmesg | grep 'apparmor="DENIED"' | grep -F 'profile= "/usr/sbin/ named"'
Step 4, should not return anything. Because systemd is involved in the user/group lookups, it currently returns the following: