pdns-recursor 块的 apparmor 配置文件用于在 systemd 上启动 pdns-recursor 服务

当我使用 aa-genprof 为 /usr/sbin/pdns_recursor 生成 apparmor 配置文件时，一切似乎都正常。但 apparmor 即使在投诉模式下也会阻止服务启动。我启动了一个全新的 AWS EC2 ubuntu 实例来检查它。Ubuntu16
运行良好，但 Ubuntu18 和 Ubuntu20 出现了问题。我认为这应该是与 systemd 相关的问题，但找不到根本原因。

root@ip-172-31-3-245:/home/ubuntu# aa-genprof /usr/sbin/pdns_recursor

root@ip-172-31-3-245:/home/ubuntu# aa-complain /usr/sbin/pdns_recursor 
root@ip-172-31-3-245:/home/ubuntu# systemctl stop pdns-recursor.service
root@ip-172-31-3-245:/home/ubuntu# systemctl start pdns-recursor.service  # it blocks till timeout

root@ip-172-31-3-245:/home/ubuntu# aa-disable /usr/sbin/pdns_recursor    
root@ip-172-31-3-245:/home/ubuntu# systemctl stop pdns-recursor.service
root@ip-172-31-3-245:/home/ubuntu# systemctl start pdns-recursor.service  # it runs fluently

我还清理了 /var/log/kern.log 和 /var/log/syslog 以查看消息。这是相关的 /var/log/syslog ：

Jul  3 17:15:06 ip-172-31-3-245 systemd[1]: Starting PowerDNS Recursor...
Jul  3 17:15:06 ip-172-31-3-245 pdns_recursor[13633]: PowerDNS Recursor 4.1.1 (C) 2001-2017 PowerDNS.COM BV
Jul  3 17:15:06 ip-172-31-3-245 pdns_recursor[13633]: Using 64-bits mode. Built using gcc 7.3.0.
Jul  3 17:15:06 ip-172-31-3-245 pdns_recursor[13633]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
Jul  3 17:15:06 ip-172-31-3-245 pdns_recursor[13633]: Reading random entropy from '/dev/urandom'
Jul  3 17:15:06 ip-172-31-3-245 pdns_recursor[13633]: If using IPv6, please raise sysctl net.ipv6.route.max_size, currently set to 4096 which is < 16384
Jul  3 17:15:06 ip-172-31-3-245 pdns_recursor[13633]: NOT using IPv6 for outgoing queries - set 'query-local-address6=::' to enable
Jul  3 17:15:06 ip-172-31-3-245 pdns_recursor[13633]: Only allowing queries from: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10
Jul  3 17:15:06 ip-172-31-3-245 kernel: [ 1247.120388] audit: type=1400 audit(1593796506.631:2170): apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/pdns_recursor" name="run/systemd/journal/dev-log" pid=13633 comm="pdns_recursor" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Jul  3 17:15:06 ip-172-31-3-245 kernel: [ 1247.120988] audit: type=1400 audit(1593796506.631:2171): apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/pdns_recursor" name="run/systemd/journal/dev-log" pid=13633 comm="pdns_recursor" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Jul  3 17:15:06 ip-172-31-3-245 pdns_recursor[13633]: Will not send queries to: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10, 0.0.0.0/8, 192.0.0.0/24, 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 240.0.0.0/4, ::/96, ::ffff:0:0/96, 100::/64, 2001:db8::/32, 0.0.0.0, ::
Jul  3 17:15:06 ip-172-31-3-245 pdns_recursor[13633]: PowerDNS Recursor itself will distribute queries over threads
Jul  3 17:15:06 ip-172-31-3-245 pdns_recursor[13633]: Inserting rfc 1918 private space zones
Jul  3 17:15:06 ip-172-31-3-245 pdns_recursor[13633]: Listening for UDP queries on 127.0.0.1:53
Jul  3 17:15:06 ip-172-31-3-245 pdns_recursor[13633]: Enabled TCP data-ready filter for (slight) DoS protection
Jul  3 17:15:06 ip-172-31-3-245 pdns_recursor[13633]: Listening for TCP queries on 127.0.0.1:53
Jul  3 17:15:06 ip-172-31-3-245 pdns_recursor[13633]: Set effective group id to 115
Jul  3 17:15:06 ip-172-31-3-245 pdns_recursor[13633]: Set effective user id to 111
Jul  3 17:15:06 ip-172-31-3-245 pdns_recursor[13633]: Launching 3 threads
Jul  3 17:15:06 ip-172-31-3-245 kernel: [ 1247.144789] audit: type=1400 audit(1593796506.655:2172): apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/pdns_recursor" name="run/systemd/notify" pid=13633 comm="pdns_recursor" requested_mask="w" denied_mask="w" fsuid=111 ouid=0
Jul  3 17:15:06 ip-172-31-3-245 pdns_recursor[13633]: Done priming cache with root hints
Jul  3 17:15:06 ip-172-31-3-245 pdns_recursor[13633]: Done priming cache with root hints
Jul  3 17:15:06 ip-172-31-3-245 pdns_recursor[13633]: Enabled 'epoll' multiplexer
Jul  3 17:15:06 ip-172-31-3-245 pdns_recursor[13633]: Done priming cache with root hints
Jul  3 17:16:36 ip-172-31-3-245 systemd[1]: pdns-recursor.service: Start operation timed out. Terminating.
Jul  3 17:16:36 ip-172-31-3-245 systemd[1]: pdns-recursor.service: Failed with result 'timeout'.
Jul  3 17:16:36 ip-172-31-3-245 systemd[1]: Failed to start PowerDNS Recursor.