-lines=(
- "/etc/resolved-nsswitch/nsswitch.conf r,"
- "/etc/basic-nsswitch/nsswitch.conf r,"
- # Aug 06 23:09:11 kd audit[3995]: AVC apparmor="DENIED" operation="connect" profile="/usr/bin/freshclam" name="/run/systemd/resolve/io.systemd.Resolve" pid=3995 comm="freshclam" requested_mask="wr" denied_mask="wr" fsuid=109 ouid=101
- # I dont know if this is quite the right fix, but I saw other sockets
- # in the nameservice files that were rw, so figured it was ok to add this and it worked.
- "/run/systemd/resolve/io.systemd.Resolve rw,"
-)
-f=/etc/apparmor.d/abstractions/nameservice
-apparmor_reload=false
-if [[ -e $f ]]; then
- for l in "${lines[@]}"; do
- if ! grep -qF "$l" $f; then
- sudo sed -i "/\/nsswitch.conf/a $l" $f
- apparmor_reload=true
- if ! grep -qF "$l" $f; then
- echo "$0: failed editing $f. investigate"
- exit 1
- fi
- fi
- done
- if $apparmor_reload && systemctl is-active apparmor; then
- m ser reload apparmor
- fi
+u /etc/apparmor.d/abstractions/nameservice.d/iank <<'EOF'
+/etc/resolved-nsswitch/nsswitch.conf r,
+/etc/basic-nsswitch/nsswitch.conf r,
+# Aug 06 23:09:11 kd audit[3995]: AVC apparmor="DENIED" operation="connect" profile="/usr/bin/freshclam" name="/run/systemd/resolve/io.systemd.Resolve" pid=3995 comm="freshclam" requested_mask="wr" denied_mask="wr" fsuid=109 ouid=101
+# I dont know if this is quite the right fix, but I saw other sockets
+# in the nameservice files that were rw, so figured it was ok to add this and it worked.
+/run/systemd/resolve/io.systemd.Resolve rw,
+EOF
+
+if $ur && systemctl is-active apparmor; then
+ m systemctl reload apparmor