On 06/24/2013 07:28 PM, Aaron Lewis wrote: > Hi guys, > > I have two problems when IPv6 is enabled, > > A. for chrome browser, > > I don't know how to define a "sub" profile without knowing absolute > path of Chrome_IOThread > > [ 771.956817] type=1400 audit(1372127142.646:1647): apparmor="DENIED" > operation="create" parent=1 profile="/usr/lib/chromium/chromium" > pid=4878 comm="Chrome_IOThread" family="inet6" sock_type="dgram" > protocol=0 > you may not be able to define a subprofile for the io thread. Subprofiles depend on either the application doing an exec, or using an api to set the profile for a thread or forked process.
I don't have enough context to know what is happening here. Can you attach a copy of your profiles or at least its x rules? > B. for weechat, > > I already have the following line defined, but still not able to use > IPv6 network, > > network inet6 stream, > this rule only gives access to stream, ie. tcp style sockets. you will need to either add network inet6 dgram, or the broader networking rule network inet6, > > [ 795.142540] type=1400 audit(1372127165.826:1689): apparmor="DENIED" > operation="create" parent=11789 profile="/usr/bin/weechat-curses" > pid=11791 comm="weechat-curses" family="inet" sock_type="stream" > protocol=6 > So this is an IPv4 request, it could be running in parallel or being tunneled over you IPv6 the rule for this is network inet stream, or a more generic rule that would allow dgrams too network inet, > > > -- > Best Regards, > Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com ) > Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E > -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
