Hello Seth >> The ..//null-.. profiles are created by the kernel when a process >> in a complain-mode profile executes another program.
OK, I understand this, but the main xfce4-dict program was Enforced. The "//null-" profiles were showed in aa-status(8) command result. (It concerned the mentioned /usr/bin/enchant-lsmod and /usr/bin/enchant; see first message etc.) As I already mentioned, everything has changed after convert "rix" to "mrix" mode for these two enchant's files. According to all of this, I would like to ask if it is okay? (I mean access mode change.) Can I use these rules? /usr/bin/enchant mrix, /usr/bin/enchant-lsmod mrix, With "mrix" mode access, xfce4-dict is working as it should and there are no one "DENIED" entries in a log files etc. So? There is one more thing - an ".ecryptfs" folder. During profile creating and after, It turned out that the dictionary needs an access to "/home/.ecryptfs/" folder. Because, I see no reason for why xfce4-dict should have such access, I decided to deny/forbid this operation. And everything works normally - no "DENIED" entries in a log files, no problems with xfce4-dict etc. Have I made a good decision? What is your opinion, what really should I do in this case? By the way - which mode access should be used in AppArmor profile for requested_mask="rac" denied_mask="rac"? I'm asking, because there is a couple of entries, such as: ✓ apparmor="ALLOWED" operation="open" profile="/usr/bin/xfce4-dict//null-/usr/bin/enchant" name="/home/user4859/.config/enchant/en_EN.dic" pid=3027 comm="enchant" requested_mask="rac" denied_mask="rac" fsuid=1000 ouid=1000 It is an exception from a log entry, created at the beginning. I was thinking about applying, for example, "rw" mode. Honestly, I don't know, but for now I use "rw" in xfce4-dict profile. I'm not pretty sure. Once again: what is your opinion? What should I do and which mode access should be used? Thanks, best regards. . .
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
