feat(profile): improve support for some profiles.

Most of the rules have come from the integration tests.

apparmor.d/groups/systemd/systemd-analyze

@@ -22,6 +22,8 @@ profile systemd-analyze @{exec_path} {
 
   signal (send) peer=child-pager,
 
+  unix bind type=stream addr=@@{hex16}/bus/systemd-analyze/system,
+
   #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"
 
   @{exec_path} mr,

apparmor.d/groups/systemd/systemd-cgls

@@ -10,6 +10,8 @@ include <tunables/global>
 profile systemd-cgls @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.systemd1>
+  include <abstractions/consoles>
 
   capability sys_ptrace,
 
@@ -17,6 +19,8 @@ profile systemd-cgls @{exec_path} {
 
   signal send set=cont peer=child-pager,
 
+  unix bind type=stream addr=@@{hex16}/bus/systemd-cgls/system,
+
   @{exec_path} mr,
 
   @{pager_path} rPx -> child-pager,

apparmor.d/groups/systemd/systemd-hostnamed

@@ -37,8 +37,9 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
   /etc/machine-info rw,
   /etc/os-release r,
 
+  @{att}/@{run}/systemd/notify rw,
+
   @{run}/systemd/default-hostname rw,
-  @{run}/systemd/notify rw,
   @{run}/udev/data/+dmi:* r,              # for motherboard info
 
   @{sys}/devices/virtual/dmi/id/ r,

apparmor.d/groups/systemd/systemd-localed

@@ -35,7 +35,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
   /etc/X11/xorg.conf.d/.#*.confd* rw,
   /etc/X11/xorg.conf.d/*.conf rw,
 
-  @{run}/systemd/notify rw,
+  @{att}/@{run}/systemd/notify rw,
 
   include if exists <local/systemd-localed>
 }

apparmor.d/groups/systemd/systemd-logind

@@ -95,6 +95,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
 
   @{att}/@{run}/systemd/notify w,
+  @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw,
 
   @{run}/systemd/inhibit/ rw,
   @{run}/systemd/inhibit/.#* rw,

apparmor.d/groups/systemd/systemd-oomd

@@ -25,6 +25,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
   /etc/systemd/oomd.conf.d/{,**} r,
 
   @{att}/@{run}/systemd/notify w,
+  @{att}/@{run}/systemd/io.systemd.ManagedOOM rw,
 
   @{run}/systemd/io.system.ManagedOOM rw,
   @{run}/systemd/io.systemd.ManagedOOM rw,

apparmor.d/groups/systemd/systemd-resolved

@@ -41,8 +41,9 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
   /etc/systemd/resolved.conf r,
   /etc/systemd/resolved.conf.d/{,*} r,
 
+  @{att}/@{run}/systemd/notify w,
+
   @{run}/systemd/netif/links/* r,
-  @{run}/systemd/notify rw,
   @{run}/systemd/resolve/{,**} rw,
 
   @{PROC}/@{pid}/cgroup r,

apparmor.d/groups/systemd/systemd-timedated

@@ -35,7 +35,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
   /etc/.#timezone* rw,
   /etc/timezone rw,
 
-  @{run}/systemd/notify rw,
+  @{att}/@{run}/systemd/notify rw,
 
   /dev/rtc@{int} r,
 

apparmor.d/groups/systemd/systemd-userdbd

@@ -30,6 +30,9 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted)
 
   /etc/machine-id r,
 
+  @{att}/@{run}/systemd/notify w,
+  @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw,
+
   @{run}/systemd/userdb/{,**} rw,
 
   @{PROC}/@{pid}/cgroup r,