It seems like this bug is in apparmor_parser. I loaded a profile with "deny dbus," and then strace'd the bus while running dbus-send:
$ echo "profile deny-dbus { file, deny dbus, }" | sudo apparmor_parser -qr $ aa-exec -p deny-dbus -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames
Strace output:
open("/sys/kernel/security/apparmor/.access", O_RDWR) = 61 write(61, "label\0deny-dbus\0 system\0org.freedesktop.DBus\0unconfined\0/org/freedesktop/DBus\0org.freedesktop.DBus\0Hello", 104) = 104 read(61, "allow 0x00000000\ndeny 0x00000000\naudit 0x00000000\nquiet 0x00000000\n", 67) = 67
The deny mask should not be all zeroes. Looking at the dfa-states output of apparmor_parser confirms that it is parser bug:
$ echo "profile deny-dbus { file, deny dbus, }" | sudo apparmor_parser -qQD dfa-states {1} <== (allow/deny/audit/quiet) {2} (0x 9fc27f/0/0/0) {5} (0x 40030/0/0/0)
The deny masks output by apparmor_parser are all zeroes.
It seems like this bug is in apparmor_parser. I loaded a profile with "deny dbus," and then strace'd the bus while running dbus-send:
$ echo "profile deny-dbus { file, deny dbus, }" | sudo apparmor_parser -qr org.freedesktop .DBus /org/freedeskto p/DBus org.freedesktop .DBus.ListNames
$ aa-exec -p deny-dbus -- dbus-send --print-reply --system --dest=
Strace output:
open("/ sys/kernel/ security/ apparmor/ .access" , O_RDWR) = 61 0org.freedeskto p.DBus\ 0unconfined\ 0/org/freedeskt op/DBus\ 0org.freedeskto p.DBus\ 0Hello" , 104) = 104
write(61, "label\0deny-dbus\0 system\
read(61, "allow 0x00000000\ndeny 0x00000000\naudit 0x00000000\nquiet 0x00000000\n", 67) = 67
The deny mask should not be all zeroes. Looking at the dfa-states output of apparmor_parser confirms that it is parser bug:
$ echo "profile deny-dbus { file, deny dbus, }" | sudo apparmor_parser -qQD dfa-states deny/audit/ quiet)
{1} <== (allow/
{2} (0x 9fc27f/0/0/0)
{5} (0x 40030/0/0/0)
The deny masks output by apparmor_parser are all zeroes.