I don't see the following step from the Test Case performed in comment #20. Was it?
4) check kernel logs for DENIED $ journalctl -o cat -b0 -k | grep 'apparmor="DENIED"' | grep -F 'profile="/usr/sbin/named"' or, depending on how logging is configured: $ dmesg | grep 'apparmor="DENIED"' | grep -F 'profile="/usr/sbin/named"' Step 4, should not return anything. Because systemd is involved in the user/group lookups, it currently returns the following: ** Tags removed: verification-done verification-done-focal ** Tags added: verification-needed verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs