Gábor, systemd is well-meaning in providing namespacing features so the thousands of daemons that are in the world don't have to re-implement something similar. But of course the kernel hook points used by AppArmor don't provide sufficient information to know what pathname to reconstruct when the named object isn't visible in the namespace where it was used.
Add /run/systemd/journal/dev-log w, to the profile, make sure attach_disconnected is used, and then you can return to using the systemd unit file. (Which is probably better than falling back to the sysv-init compatibility shims systemd uses.)
Gábor, systemd is well-meaning in providing namespacing features so the thousands of daemons that are in the world don't have to re-implement something similar. But of course the kernel hook points used by AppArmor don't provide sufficient information to know what pathname to reconstruct when the named object isn't visible in the namespace where it was used.
Add /run/systemd/ journal/ dev-log w, to the profile, make sure attach_disconnected is used, and then you can return to using the systemd unit file. (Which is probably better than falling back to the sysv-init compatibility shims systemd uses.)
Thanks