Sadly yes. AppArmor currently doesn't do audit message deduping, leaving it entirely to the audit infrastructure. Which means denial messages can fill the logs.
There is current work to fix this by providing a dedup cache that will hopefully land in 4.20 ** Changed in: apparmor (Ubuntu) Importance: Undecided => Wishlist -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1787600 Title: kernel: [ 6230.503218] audit: type=1400 audit(1534512537.321:398960): apparmor="DENIED" operation="open" profile="snap.gnome-system-monitor .gnome-system-monitor" name="/run/mount/utab" pid=2265 comm="gnome- system-mo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Status in apparmor package in Ubuntu: New Bug description: This log repeats so many times in file /var/log/syslog and /var/log/kern.log, causing the size of 2 files exceed 100Mb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1787600/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
