Thanks for the log! To get your major issue solved, please add capability dac_read_search, capability dac_override, to the profile and reload it with rcapparmor reload. This is needed to allow root to read files and enter directories owned by a user with for example -rwx------ permissions. With AppArmor confinement, root needs these two capabilities to override the missing read permissions. (See capabilities(7) for more details.) There are some more denials in your log (looks like groff executes several helper binaries) which I'll check later. (In reply to Dr. Werner Fink from comment #0) > in /etc/apparmor.d/usr.bin.lessopen.sh I found > > /usr/bin/file rix, > > but no rule for /usr/bin/file its self! The "ix" in the rule means "inherit", so /usr/bin/file will run under the same profile as lessopen.sh. (In reply to Dr. Werner Fink from comment #5) > type=AVC msg=audit(1509089056.461:3242): apparmor="DENIED" > operation="sendmsg" profile="/usr/bin/lessopen.sh" pid=11880 comm="file" > lport=911 family="inet" sock_type="dgram" protocol=17 > > ... Hmmm ... what does this mean? Let me guess - you tried to view a file on a NFS share? Ideally this should be hidden in the kernel so that the application doesn't see the network access (because that's on the filesystem level). I know there's an open bugreport about this - I'll check with upstream if/when we can expect a kernel patch.