While the profile addressed the original reporter's claim that /var/run/dsnmasq.wlan0.pid is the pid to look for, looking in the attached dmesg output and doing 'sudo /etc/init.d/dnsmasq start' showed additional locations for pidfiles and config files. The updated profile should have these additions:
capability dac_override,
/etc/dnsmasq.d/ r,
/etc/dnsmasq.d/* r,
/var/run/*dnsmasq*.pid w,
/var/run/dnsmasq/ r,
/var/run/dnsmasq/* rw,
At present, the profile is useless without these additions, as dnsmasq won't even start when the profile is in enforce mode.
Updated test case: d/usr.sbin. dnsmasq' dnsmasq/ dnsmasq. pid -u dnsmasq -7 /etc/dnsmasq.d nm-dnsmasq. wlan0.pid -u dnsmasq -7 /etc/dnsmasq.d
- apt-get install apparmor-profiles dnsmasq
- enable the dnsmasq profile with 'aa-enforce /etc/apparmor.
- sudo /usr/sbin/dnsmasq -x /var/run/
- sudo /usr/sbin/dnsmasq -x /var/run/
While the profile addressed the original reporter's claim that /var/run/ dsnmasq. wlan0.pid is the pid to look for, looking in the attached dmesg output and doing 'sudo /etc/init.d/dnsmasq start' showed additional locations for pidfiles and config files. The updated profile should have these additions: run/*dnsmasq* .pid w, run/dnsmasq/ * rw,
capability dac_override,
/etc/dnsmasq.d/ r,
/etc/dnsmasq.d/* r,
/var/
/var/run/dnsmasq/ r,
/var/
At present, the profile is useless without these additions, as dnsmasq won't even start when the profile is in enforce mode.