Comment 21 for bug 2040483

The debdiff is in the MP above.

Podman does try to kill the container itself, as the error trace above testifies.

May 14 11:14:41 srv-omzr6 kernel: audit: type=1400 audit(1715685281.392:118): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.57.4" pid=7458 comm="conmon" requested_mask="receive" denied_mask="receive" signal=term peer="podman"

It's trying to kill conmon in some scenarios, which means your policy changes so far are deficient in that regard. We can tighten the signal set there to term and kill, which is certainly no worse than the pre-4.0.0 situation.

I note the point about the signal set on the runtimes, and that should be removed. The stop signals can be set to anything within the container.

I would suggest extending the AARE to cover the binaries as well as the policy name.