Hi All, Systemd provides this variable *AppArmorProfile=* for the unit files
I have enabled Apparmor support in systemd and confirmed it is enabled as per below output. # systemctl --version systemd 250 (250.5+) -PAM -AUDIT -SELINUX *+APPARMOR* +IMA -SMACK -SECCOMP -GCRYPT -GNUTLS -OPENSSL -ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP +LIBFDISK -PCRE2 -PWQUALITY -P11KIT -QRENCODE -BZIP2 -LZ4 -XZ -ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=hybrid *test.service* [Service] Type=forking WorkingDirectory=/usr/local/ *AppArmorProfile-=foo* ExecStart=/usr/bin/test Restart=on-failure During boot-up, profile "foo" is NOT loaded while executing test.service. However, I am observing below logs grep -rni DENIED /var/logs/messages.txt 431:1970 Jan 01 00:00:33 localhost: audit: type=1400 audit(33.089:2): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="foo" pid=2970 comm="(sh)" As per my understanding, if prefixed by "-", all errors will be ignored. But I am still observing the above logs. Do we need to update this line *AppArmorProfile-=foo* in the unit file? I would like to understand the difference between *AppArmorProfile=foo , * *AppArmorProfile-=foo ?* Please share your views. Thanks Murali.S
