Add these two lines after the first apparmor_parser load:
printf "usr.bin.serge.allow loaded, sha1 "
cat /sys/kernel/security/apparmor/policy/profiles/usr.bin.serge.*/sha1
Add these two lines after the second apparmor_parser load:
printf "usr.bin.serge.deny loaded, sha1 "
cat /sys/kernel/security/apparmor/policy/profiles/usr.bin.serge.*/sha1
So I think this rules out caching inconsistencies.
I made some slight adjustments to test.sh and found that the sha1 of the loaded profile changes after reloading:
# ./test.sh 4a8749ded59787c e0f5dc0785 fdb0bc8e556f4dd 8b7136a7d7
usr.bin.serge.allow loaded, sha1 7e932d334f64e15
usr.bin.serge.deny loaded, sha1 7045ef3e6721273
failed
The audit messages logged at the same time: 1383780124. 809:900) : apparmor="STATUS" operation= "profile_ load" parent=14173 profile= "unconfined" name="/ usr/bin/ serge" pid=14176 comm="apparmor_ parser" 1383780124. 809:900) : arch=c000003e syscall=1 success=yes exit=16785 a0=5 a1=ab8f00 a2=4191 a3=7fff0ec3b4c0 items=0 ppid=14173 pid=14176 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts7 comm="apparmor_ parser" exe="/sbin/ apparmor_ parser" key=(null) 1383780124. 913:901) : apparmor="STATUS" operation= "profile_ replace" parent=14173 profile= "unconfined" name="/ usr/bin/ serge" pid=14188 comm="apparmor_ parser" 1383780124. 913:901) : arch=c000003e syscall=1 success=yes exit=16953 a0=5 a1=1b58f00 a2=4239 a3=7fff4b63f570 items=0 ppid=14173 pid=14188 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts7 comm="apparmor_ parser" exe="/sbin/ apparmor_ parser" key=(null)
type=AVC msg=audit(
type=SYSCALL msg=audit(
type=AVC msg=audit(
type=SYSCALL msg=audit(
Add these two lines after the first apparmor_parser load: serge.allow loaded, sha1 " security/ apparmor/ policy/ profiles/ usr.bin. serge.* /sha1
printf "usr.bin.
cat /sys/kernel/
Add these two lines after the second apparmor_parser load: security/ apparmor/ policy/ profiles/ usr.bin. serge.* /sha1
printf "usr.bin.serge.deny loaded, sha1 "
cat /sys/kernel/
So I think this rules out caching inconsistencies.