Unfortunately the instance with the original log and profile has been terminated. I think that I have reproduced the bug. AppArmor parser version 2.10.95 Copyright (C) 1999-2008 Novell Inc. Copyright 2009-2012 Canonical Ltd. Syslog: Mar 10 00:39:57 ubuntu kernel: [ 51.010399] audit: type=1400 audit(1489106395.892:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/ubuntu-core-launcher" pid=915 comm="apparmor_parser" Mar 10 00:39:57 ubuntu kernel: [ 51.272054] audit: type=1400 audit(1489106396.152:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/ntpd" pid=918 comm="apparmor_parser" Mar 10 00:39:57 ubuntu kernel: [ 51.321784] audit: type=1400 audit(1489106396.204:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/sbin/dhclient" pid=916 comm="apparmor_parser" Mar 10 00:39:57 ubuntu kernel: [ 51.322484] audit: type=1400 audit(1489106396.204:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=916 comm="apparmor_parser" Mar 10 00:39:57 ubuntu kernel: [ 51.323131] audit: type=1400 audit(1489106396.204:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=916 comm="apparmor_parser" Mar 10 00:39:57 ubuntu kernel: [ 51.323753] audit: type=1400 audit(1489106396.204:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=916 comm="apparmor_parser" Mar 10 00:39:57 ubuntu kernel: [ 51.476850] audit: type=1400 audit(1489106396.360:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/tcpdump" pid=922 comm="apparmor_parser" Mar 10 00:40:11 ubuntu kernel: [ 66.145691] audit: type=1400 audit(1489106411.206:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="docker-default" pid=3647 comm="apparmor_parser" Mar 10 01:06:08 ubuntu kernel: [ 1623.061095] audit: type=1400 audit(1489107968.123:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="confined_user" pid=7416 comm="apparmor_parser" Mar 10 01:06:08 ubuntu kernel: [ 1623.061940] audit: type=1400 audit(1489107968.123:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="default_user" pid=7416 comm="apparmor_parser" Mar 10 01:06:08 ubuntu kernel: [ 1623.492384] audit: type=1400 audit(1489107968.555:12): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/bin/su" pid=7417 comm="apparmor_parser" Mar 10 01:06:08 ubuntu kernel: [ 1623.493298] audit: type=1400 audit(1489107968.555:13): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/bin/su//DEFAULT" pid=7417 comm="apparmor_parser" Mar 10 01:06:08 ubuntu kernel: [ 1623.494189] audit: type=1400 audit(1489107968.555:14): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/bin/su//root" pid=7417 comm="apparmor_parser" Mar 10 01:06:08 ubuntu kernel: [ 1623.495047] audit: type=1400 audit(1489107968.555:15): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/bin/su//tester" pid=7417 comm="apparmor_parser" Mar 10 01:06:08 ubuntu kernel: [ 1623.715832] audit: type=1400 audit(1489107968.775:16): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/perf" pid=7440 comm="apparmor_parser" Mar 10 01:06:09 ubuntu kernel: [ 1623.970888] audit: type=1400 audit(1489107969.031:17): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/sshd" pid=7421 comm="apparmor_parser" Mar 10 01:06:09 ubuntu kernel: [ 1623.971284] audit: type=1400 audit(1489107969.031:18): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/sshd//AUTHENTICATED" pid=7421 comm="apparmor_parser" Mar 10 01:06:09 ubuntu kernel: [ 1623.971733] audit: type=1400 audit(1489107969.031:19): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/sshd//DEFAULT" pid=7421 comm="apparmor_parser" Mar 10 01:06:59 ubuntu kernel: [ 1674.012895] audit: type=1400 audit(1489108019.075:25): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/sshd//DEFAULT" pid=8493 comm="sshd" requested_mask="trace" denied_mask="trace" peer="unconfined" Mar 10 01:06:59 ubuntu kernel: [ 1674.013211] audit: type=1400 audit(1489108019.075:26): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/sshd//DEFAULT" pid=8493 comm="sshd" requested_mask="trace" denied_mask="trace" peer="unconfined" Mar 10 01:07:00 ubuntu kernel: [ 1674.941200] audit: type=1400 audit(1489108020.003:27): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/sshd//DEFAULT" pid=8521 comm="sshd" requested_mask="trace" denied_mask="trace" peer="unconfined" Mar 10 01:07:00 ubuntu kernel: [ 1674.941584] audit: type=1400 audit(1489108020.003:28): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/sshd//DEFAULT" pid=8521 comm="sshd" requested_mask="trace" denied_mask="trace" peer="unconfined" Mar 10 01:08:16 ubuntu kernel: [ 1751.517359] audit: type=1400 audit(1489108096.578:29): apparmor="DENIED" operation="open" profile="/usr/bin/perf" name="/etc/dpkg/dpkg.cfg.d/zfs-doc" pid=16326 comm="dpkg" requested_mask="r" denied_mask="r" fsuid=60004 ouid=0 Mar 10 01:08:16 ubuntu kernel: [ 1751.519615] audit: type=1400 audit(1489108096.578:30): apparmor="DENIED" operation="open" profile="/usr/bin/perf" name="/etc/dpkg/dpkg.cfg.d/zfs-doc" pid=16334 comm="dpkg" requested_mask="r" denied_mask="r" fsuid=60004 ouid=0 Mar 10 01:08:16 ubuntu kernel: [ 1751.567245] audit: type=1400 audit(1489108096.626:31): apparmor="DENIED" operation="open" profile="/usr/bin/perf" name="/usr/bin/" pid=16335 comm="lsb_release" requested_mask="r" denied_mask="r" fsuid=60004 ouid=0 Mar 10 01:10:27 ubuntu kernel: [ 1882.092345] audit: type=1400 audit(1489108227.152:32): apparmor="DENIED" operation="open" profile="default_user" name="/usr/bin/" pid=32705 comm="ls" requested_mask="r" denied_mask="r" fsuid=60004 ouid=0 Profile: # # This file contains the mappings from users to roles for the binaries # confined with AppArmor and configured for use with libpam-apparmor. # Users without a mapping will not be able to login. # # The default hat is a confined user. The hat contains only the permissions # necessary to transition to the user's login shell. All other permissions have # been moved into the default_user profile. # ^DEFAULT { #include #include #include #include #include #include #include capability audit_control, capability audit_write, capability chown, capability dac_override, capability fowner, capability fsetid, capability kill, capability net_admin, capability net_bind_service, capability sys_ptrace, capability setgid, capability setuid, capability sys_chroot, capability sys_resource, capability sys_tty_config, ptrace trace peer=unconfined, /proc/1/limits r, /proc/** r, owner /proc/** rw, /proc/self/** rw, owner /home/*/ rw, owner /home/*/** rw, /etc/default/su r, /etc/default/locale r, /etc/environment r, /etc/init.d/ r, /etc/legal r, /etc/locale.alias r, /etc/passwd r, /etc/shells r, /etc/security/limits.d/ r, /etc/security/limits.d/* r, /dev/ptmx rw, /etc/motd r, /run/motd.dynamic rw, /run/motd.dynamic.new wr, /bin/{,b,d,rb}ash Px -> default_user, /bin/{,c,k,rk,tc,z}sh Px -> default_user, /usr/bin/{screen,tcsh,tmux} Px -> default_user, } # tester is a confined user. # The hat contains only the permissions necessary # to transition to tester's login shell. All other permissions have been # moved into the confined_user profile. ^tester { #include #include #include #include #include #include #include capability audit_control, capability audit_write, capability chown, capability dac_override, capability fowner, capability fsetid, capability kill, capability net_admin, capability net_bind_service, capability setgid, capability setuid, capability sys_chroot, capability sys_resource, capability sys_tty_config, /proc/1/limits r, /proc/** r, owner /proc/** rw, /proc/self/** rw, owner /home/*/ rw, owner /home/*/** rw, /etc/default/su r, /etc/default/locale r, /etc/environment r, /etc/init.d/ r, /etc/legal r, /etc/locale.alias r, /etc/passwd r, /etc/shells r, /etc/security/limits.d/ r, /etc/security/limits.d/* r, /dev/ptmx rw, /etc/motd r, /run/motd.dynamic rw, /run/motd.dynamic.new wr, /bin/{,b,d,rb}ash Px -> confined_user, /bin/{,c,k,rk,tc,z}sh Px -> confined_user, /usr/bin/{screen,tcsh,tmux} Px -> confined_user, } # Don't confine members whose primary group is 'root' who are not specifically # confined. ^root { #include #include #include #include #include #include #include capability audit_control, capability audit_write, capability chown, capability dac_override, capability fowner, capability fsetid, capability kill, capability net_admin, capability net_bind_service, capability sys_ptrace, capability setgid, capability setuid, capability sys_chroot, capability sys_resource, capability sys_tty_config, /proc/** rw, /etc/default/su r, /etc/default/locale r, /etc/environment r, /etc/init.d/ r, /etc/legal r, /etc/locale.alias r, /etc/passwd r, /etc/shells r, /etc/security/limits.d/ r, /etc/security/limits.d/* r, /dev/ptmx rw, /etc/motd r, /run/motd.dynamic rw, /run/motd.dynamic.new wr, /bin/{,b,d,rb}ash Ux, /bin/{,c,k,rk,tc,z}sh Ux, /usr/bin/{screen,tcsh,tmux} Ux, }