Correct. There are actually several ways to get disconnected paths and this specific one is being caused by the new file ns. The proper fix for this is delegating access to the object that would not normally be accessible, however delegation is not available in the current releases of apparmor and the HACK of attach disconnected is being used to work around this.
As for apparmor not complaining about disconnected path failures, it should be unless attach disconnected is specified. The info field in the apparmor audit message will be info="Failed name lookup - disconnected path" -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1373070 Title: full fix for disconnected path (paths) Status in cups package in Ubuntu: Fix Released Status in linux package in Ubuntu: Triaged Status in rsyslog package in Ubuntu: New Bug description: With the apparmor 3 RC1 upload, there is an incomplete bug fix for disconnected paths. This bug is to track that work. This denial may be related: Sep 23 10:10:50 localhost kernel: [40262.517799] audit: type=1400 audit(1411485050.722:2862): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/rsyslogd" name="dev/log" pid=7011 comm="logger" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 This is related to bug 1375410 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1373070/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
