app-admin/syslog-ng fails to start when profiles from sec-policy/apparmor-profiles-2.10.1-r1 or 2.11.0 are loaded. The error is: * Checking your configfile (/etc/syslog-ng/syslog-ng.conf) ... Error parsing source, source plugin system not found in /etc/syslog-ng/syslog-ng.conf at line 25, column 14: source src { system(); internal(); }; ^^^^^^ The log contains: apparmor="DENIED" operation="open" profile="syslog-ng" name="/usr/share/include/scl/" pid=2495 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 I fixed this (plus other DENIED errors) by adding these AppArmor rules: /usr/share/include/scl/ r, /usr/share/include/scl/* r, /usr/share/include/scl/** r, /dev/kmsg r, /proc/1/cgroup r, /proc/uptime r, /dev/tty12 rw, /proc/*/loginuid r, /proc/*/cmdline r, /proc/*/sessionid r,
The profiles included with that package are as upstream ships them. There's some effort to make Gentoo-specific profiles at https://github.com/gentoo/gentoo-apparmor-profiles but that's mostly a one-person show so far.
appeared recently at the tinderbox image 13.0_20170706-210712
Created attachment 482744 [details] emerge-info.txt
Created attachment 482746 [details] emerge-history.txt
Created attachment 482748 [details] environment
Created attachment 482750 [details] etc.portage.tbz2
Created attachment 482752 [details] logs.tbz2
Created attachment 482754 [details] sys-apps:apparmor-2.11.0:20170709-153203.log
*** Bug 631506 has been marked as a duplicate of this bug. ***
The startup SCL failure should be fixed as the SCL installation path now matches the upstream AppArmor profile. Regarding the other denys, I am hesitant to make any changes unless we can justify why each new allow is needed. Please feel free to reopen this if things are not working as you expect.
