According to the AppArmor policy [1], the following rule is allowed
signal (receive) peer=unconfined,
And when there was no policy for /usr/bin/crun, the signal that is now being denied would fall under this rule, because crun was unconfined.
A profile for crun was added in Bug 2035315 because applications that make use of unprivileged user namespaces must be confined by an AppArmor profile, so to properly fix this bug the following rule must be added
signal (receive) peer=/usr/bin/crun,
or better yet, because of the AppArmor upstream commit that renames the profile [2]
According to the AppArmor policy [1], the following rule is allowed
signal (receive) peer=unconfined,
And when there was no policy for /usr/bin/crun, the signal that is now being denied would fall under this rule, because crun was unconfined.
A profile for crun was added in Bug 2035315 because applications that make use of unprivileged user namespaces must be confined by an AppArmor profile, so to properly fix this bug the following rule must be added
signal (receive) peer=/usr/bin/crun,
or better yet, because of the AppArmor upstream commit that renames the profile [2]
signal (receive) peer={/ usr/bin/ ,}crun,
[1] https:/ /github. com/containers/ common/ blob/main/ pkg/apparmor/ apparmor_ linux_template. go#L23C36- L23C36 /gitlab. com/apparmor/ apparmor/ -/blob/ 2594d936ada5df7 97bc69e78a2ef8c 6e6171d454/ profiles/ apparmor. d/crun
[2] https:/