Hi u, On 2016-06-27 04:57 PM, u wrote: > Hi! > > Simon Déziel: >> On 2016-04-18 04:36 PM, Seth Arnold wrote: >> The web view doesn't make it very easy to spot but those rules apply >> only to the _subprofile_ gpg2. > > I've tested the profile at revision 169 in Debian and Tails using the > Enigmail account wizard. This wizard, supposed to make it easier for > users to create GPG keys, imposes the creation of a revocation > certificate. This certificate is supposed to be saved to Thunderbird's > profile in $HOME/.thunderbird/$profile but that fails and thus the key > creation seems not to be finalized (actually the keys are create > correctly but the user gets an error about the revocation cert not being > able to be created): > > [16449.351352] audit: type=1400 audit(1467057664.224:36): > apparmor="DENIED" operation="mknod" profile="icedove//gpg2" > name="/home/amnesia/.icedove/profile.default/0xA546D1BB6B894CA3_rev.asc" > pid=6028 comm="gpg2" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
I'm surprised it's not using ~/.gnupg/. Maybe it's saving a copy in the
corresponding Thunderbird profile dir.
> (In my test profile, all "thunderbird"s are called "icedove", so that's
> not the problem here.)
>
> A solution which seems to work is to add a line to the subprofile for gpg2:
>
> # for enigmail's wizard revocation certificate creation
> owner @{HOME}/.thunderbird/*.default/*_rev.asc rw,
You can have more than 1 profile so I'd propose that:
owner @{HOME}/.thunderbird/*/0x*_rev.asc rw,
Untested as I'm too impatient to wait for the key pair generation to
complete :)
Regards,
Simon
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
