On 8/8/18 2:21 PM, Christian Boltz wrote:
Helllo, Stephen, while we are discussing this, I'd like to give you an easy workaround:
If you need a solution that works for all users (and is a bit less strict because it only enforces that the directory name has to start with a digit) alias /tmp/ -> /run/user/[0-9]*/, After adding the alias, reload all AppArmor profiles.
Christian, Somehow i missed this earlier... I had to revisit this, because # grep apparmor /var/log/dpkg.log 2018-11-16 07:21:25 conffile /etc/apparmor.d/usr.bin.thunderbird install re-broke things. (sigh, my workplace daily notices were throwing more apparmor="DENIED" traps and leaving my message-pane blank. (would be nice if there was a tool for the desktop to issue notifications in these cases. maybe there is, but my lack of searching for it has amazingly not revealed it! ;)) Seems that the latest thunderbird update should honor the aa-complain status of my system. Looking at : /var/lib/dpkg/info/thunderbird.postinst I see some logic that looks like i should be using a "disable" link. That seems like it would be different, however, than just setting it to 'complain' mode. (I don't mind having it complaining and logging, but it's a lot more unfriendly to just disable it on my part, or to re-enable enforcing when i am in complain mode) I dunno if i should file a bug report on that :-/ (i see that this bug is still in 'thunderbird', and the apparmor file is dpkg-owned by thunderbird, so maybe just consider this comment a bug report addition) Anyway, i implemented your workaround. I may test it out with aa-enabled again at some point just to make sure it's working. thanks, --stephen