Comment 3 for bug 872446

1. Create /tmp/foo.sh:
#!/bin/sh
cat /etc/fstab
grep root /etc/passwd

2. chmod 755 /tmp/foo.sh

3. sudo aa-genprof /tmp/foo.sh
Writing updated profile for /tmp/foo.sh.
Setting /tmp/foo.sh to complain mode.
...
[(S)can system log for AppArmor events] / (F)inish

(press 'f' (ie, don't run /tmp/foo.sh in another terminal or anything)
Reloaded AppArmor profiles in enforce mode.
...
Finished generating profile for /tmp/foo.sh.

4. verify it is loaded
$ sudo aa-status|grep foo
   /tmp/foo.sh

5. run the script:
$ /tmp/foo.sh
/bin/sh: Can't open /tmp/foo.sh

6. run aa-logprof
$ sudo aa-logprof
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Enforce-mode changes:

Profile: /tmp/foo1.sh
Path: /tmp/foo1.sh
Mode: r
Severity: unknown

 [1 - /tmp/foo1.sh]
(press 'a')

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

 [1 - /tmp/foo1.sh]

(S)ave Changes / [(V)iew Changes] / Abo(r)t
(press 's')
Writing updated profile for /tmp/foo1.sh.

8. Verify the profile was updated:
$ $ cat /etc/apparmor.d/tmp.foo1.sh
# Last Modified: Mon Mar 26 13:40:50 2012
#include <tunables/global>

/tmp/foo.sh {
  #include <abstractions/base>

  /bin/dash ix,
  /tmp/foo.sh r,

}

9. Run the script:
$ /tmp/foo1.sh
/tmp/foo1.sh: 2: cat: Permission denied
/tmp/foo1.sh: 3: grep: Permission denied

10. run aa-logprof:
$ sudo aa-logprof
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.

(notice I wasn't prompted).

11. Run the script:
$ /tmp/foo1.sh
/tmp/foo1.sh: 2: cat: Permission denied
/tmp/foo1.sh: 3: grep: Permission denied

I'm not sure what this is as I did see it work a couple of time. I think this might be a timestamp checking issue. If I went slowly between running aa-genprof and aa-logprof it would work. If I went more quickly, it would not. This is not a result of kernel rate limiting, because I have entries in dmesg for the cat and grep denials.