Comment 6 for bug 324645

> This looks worrysome. Why does it want to write ("w") krb5.conf? ...

This has been a long lasting issue around the kerberos libraries that has been seen in both the apparmor and SELinux communities; according to http://www.nsa.gov/research/selinux/list-archive/0312/thread_body13.shtml#6196 , what krb5 is doing is an access(2) call to see if it has write access to the conf file or not. Unfortunately, this ends being passed to the LSM layer as a live permission check, and results in the rejection message you see above. There's been proposals amongst the apparmor developers to support something akin to SELinux's dontaudit keyword, which would reject but not log access attempts (on a per-rule basis), but it's never been a priority because this one case has been the only one we've seen where we wanted it.

(In ancient pre-LSM days, apparmor would only do permission checks on actual accesses, not the access(2) call, but the ability to distinguish between an access(2) call and a regular open(2) call was not included when the LSM api was created.)