(In reply to Christian Boltz from comment #8) > I'm afraid your audit.log caused more questions than it answers ;-) > > Basically you have two events (repeated multiple times): > > apparmor="DENIED" operation="sendmsg" profile="/usr/bin/lessopen.sh" > pid=6779 comm="file" lport=814 family="inet" sock_type="dgram" protocol=17 > requested_mask="send" denied_mask="send" > > apparmor="DENIED" operation="sendmsg" profile="/usr/bin/lessopen.sh" > pid=7077 comm="lessopen.sh" lport=814 family="inet" sock_type="dgram" > protocol=17 requested_mask="send" denied_mask="send" > > It's very strange that the lessopen.sh script and "file" need inet dgram > permissions. I asked upstream, and the answer was > > [17:27:28] <jjohansen1> well, you can use it internal to the machine as a > message passing protocol > [17:27:51] <jjohansen1> this can be convenient if you have a need that could > be local or remote > [17:28:46] <jjohansen1> but it is certainly suspect, and needs to be looked > into > [...] > [17:49:49] <jjohansen1> its interesting that its the file command and the > script > [17:50:01] <jjohansen1> perhaps its being used as a pipe? > [17:51:41] <jjohansen1> an strace would be interesting to see > > Unfortunately I'm not able to reproduce what you see, so - can you please do > a strace, check that it causes these entries in audit.log again, and then > attach the strace output? "file" does use use socket() .. if it did.. there is a seccomp filter dissallowing anything but AF_UNIX. less doesn't use it either. What the hell is going on.. don't have time to dig further right now. need a trace of the program.. and whatis lport in the audit log also? wasn't able to find the meaning on the web.. it is logging port? low port?