I’m getting this error now due to our sysctl restrictions:
AVC apparmor="DENIED" operation="open" profile="init-systemd" name="/proc/sys/kernel/core_pattern" pid=1 comm="systemd-shutdow" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
We’ll need to create a systemd-shutdown profile for this although I don’t know why it needs access to that anyway.
We should also create a profile for Xorg since it’s a large amount of code, has a history of vulnerabilities and to get rid of this error:
AVC apparmor="DENIED" operation="capable" profile="init-systemd" pid=1715 comm="Xorg" capability=17 capname="sys_rawio"
Granting CAP_SYS_RAWIO in the main profile is not ok as it opens up so many ways to escalate to kernel privileges such as iopl().
Even if we do make an X profile, I don’t know if I’m comfortable with exposing CAP_SYS_RAWIO to a program with such huge attack surface.