These are not AppArmor messages. AppArmor messages clearly say apparmor="DENIED" or apparmor="ALLOWED" or similar.
Audit message 1702 is generated when an application trips a link restriction denial: https://github.com/torvalds/linux/blob/master/kernel/audit.c#L2254 The "linkat" version of the message comes from: https://github.com/torvalds/linux/blob/master/fs/namei.c#L968 If you want to enable the unsafe hardlink behaviour you can set a sysctl to do so. (This is a homework problem left for the reader.) Audit message 1302 reports a filename: https://github.com/torvalds/linux/blob/master/include/uapi/linux/audit.h#L89 Since this is the next audit record after the 1702 message, I believe this is just reporting *which* file was involved in the previous unsafe link behaviour. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1747333 Title: apparmor rules deny lease backup To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1747333/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs