Indeed, with 4.14 I got my first Debian network (potential) denies (yay! :-D ):
type=AVC msg=audit(1507226290.361:585): apparmor="ALLOWED" operation="recvmsg" profile="/usr/sbin/avahi-daemon" pid=526
comm="avahi-daemon" family="unix" sock_type="stream" protocol=0 requested_mask="receive" denied_mask="receive"
type=SYSCALL msg=audit(1507226290.361:585): arch=c000003e syscall=47 success=yes exit=394 a0=a a1=7ffc32295f60
a2=40000000 a3=7ffc322960c0 items=0 ppid=1 pid=526 auid=4294967295 uid=116 gid=119 euid=116 suid=116 fsuid=116 egid=119
sgid=119 fsgid=119 tty=(none) ses=4294967295 comm="avahi-daemon" exe="/usr/sbin/avahi-daemon" key=(null)
type=PROCTITLE msg=audit(1507226290.361:585):
proctitle=2F7573722F7362696E2F61766168692D6461656D6F6E002D73
type=AVC msg=audit(1507226290.377:601): apparmor="ALLOWED" operation="sendmsg" profile="/usr/sbin/avahi-daemon" pid=526
comm="avahi-daemon" family="unix" sock_type="dgram" protocol=0 requested_mask="send" denied_mask="send"
type=SYSCALL msg=audit(1507226290.377:601): arch=c000003e syscall=44 success=yes exit=61 a0=4 a1=55b432e7f5e0 a2=3d
a3=4000 items=0 ppid=1 pid=526 auid=4294967295 uid=116 gid=119 euid=116 suid=116 fsuid=116 egid=119 sgid=119 fsgid=119
tty=(none) ses=4294967295 comm="avahi-daemon" exe="/usr/sbin/avahi-daemon" key=(null)
type=PROCTITLE msg=audit(1507226290.377:601):
proctitle=2F7573722F7362696E2F61766168692D6461656D6F6E002D73
type=AVC msg=audit(1507226290.397:613): apparmor="ALLOWED" operation="create" profile="/usr/sbin/avahi-daemon" pid=526
comm="avahi-daemon" family="unix" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
type=SYSCALL msg=audit(1507226290.397:613): arch=c000003e syscall=41 success=yes exit=3 a0=1 a1=80002 a2=0 a3=73 items=0
ppid=1 pid=526 auid=4294967295 uid=116 gid=119 euid=116 suid=116 fsuid=116 egid=119 sgid=119 fsgid=119 tty=(none)
ses=4294967295 comm="avahi-daemon" exe="/usr/sbin/avahi-daemon" key=(null)
type=PROCTITLE msg=audit(1507226290.397:613):
proctitle=2F7573722F7362696E2F61766168692D6461656D6F6E002D73
Also, these lines look strange to me (multiple AVC and then SYSCALL/PROC...):
type=AVC msg=audit(1507226290.397:616): apparmor="ALLOWED" operation="file_perm" profile="/usr/sbin/avahi-daemon"
pid=526 comm="avahi-daemon" family="unix" sock_type="stream" protocol=0 requested_mask="receive" denied_mask="receive"
type=AVC msg=audit(1507226290.397:616): apparmor="ALLOWED" operation="file_perm" profile="/usr/sbin/avahi-daemon"
pid=526 comm="avahi-daemon" family="unix" sock_type="stream" protocol=0 requested_mask="receive" denied_mask="receive"
type=AVC msg=audit(1507226290.397:616): apparmor="ALLOWED" operation="recvmsg" profile="/usr/sbin/avahi-daemon" pid=526
comm="avahi-daemon" family="unix" sock_type="stream" protocol=0 requested_mask="receive" denied_mask="receive"
type=SYSCALL msg=audit(1507226290.397:616): arch=c000003e syscall=0 success=yes exit=0 a0=5 a1=7ffc322960de a2=1 a3=67
items=0 ppid=1 pid=526 auid=4294967295 uid=116 gid=119 euid=116 suid=116 fsuid=116 egid=119 sgid=119 fsgid=119
tty=(none) ses=4294967295 comm="avahi-daemon" exe="/usr/sbin/avahi-daemon" key=(null)
type=PROCTITLE msg=audit(1507226290.397:616):
proctitle=2F7573722F7362696E2F61766168692D6461656D6F6E002D73
Anyway, patch suggested by Christian Boltz fixes these issues, which is
attached.
=== modified file 'profiles/apparmor.d/abstractions/nameservice'
--- profiles/apparmor.d/abstractions/nameservice 2017-06-24 18:42:47 +0000
+++ profiles/apparmor.d/abstractions/nameservice 2017-10-05 16:42:29 +0000
@@ -88,6 +88,11 @@
network inet dgram,
network inet6 dgram,
+ # unix dgram/stream
+ # TODO: replace with more specific unix rules when support for unix rules arrives in the Kernel (probably in 4.15) and gives us detailed log messages
+ network unix dgram,
+ network unix stream,
+
# TODO: adjust when support finer-grained netlink rules
# Netlink raw needed for nscd
network netlink raw,
