On 2017-10-31 08:32 AM, Philipp Kern wrote: > When I use Thunderbird I see a lot of these in the kernel log (probably > whenever I look at a signed and/or encrypted email): > > [94784.485686] audit: type=1400 audit(1509453045.981:153): > apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg" > name="/usr/share/thunderbird/omni.ja" pid=4440 comm="gpg2" > requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 > > I don't see an obvious degradation of the client. Even gpg-encrypted > mails get handled correctly by Enigmail. But I suppose some kind of rule > is missing to make the log lines go away?
On Ubuntu, omni.ja is in /usr/lib/thunderbird and there is no symlink to /usr/share/thundebird. This is probably not relevant here though. That said, I never encountered this denial myself. I don't see why gpg would need to access this zip file inherited by the parent, so I'd be tempted to add a deny rule to silence it. Opinions? Regards, Simon
signature.asc
Description: OpenPGP digital signature
