Hi I thought write should be admin opt-in, the profile already has #include <abstractions/nameservice> which has /etc/resolv.conf r,
Yes your Deny is a write Deny and that is why you add a "w" rule, but I thought that should be an explicit admin opt-in for security reasons. After all changing name resolution is a nice place to start an attack and opening that (by default) to software that is reachable from the outside by design might not be too good. Maybe we could ship a commented out line with some comment what it is used for and ask users to "put that in your apparmor...local... file if you want to use ..." -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd
