On 8/8/18 2:21 PM, Christian Boltz wrote:
Helllo,
Stephen, while we are discussing this, I'd like to give you an easy
workaround:
If you need a solution that works for all users (and is a bit less
strict because it only enforces that the directory name has to start
with a digit)
alias /tmp/ -> /run/user/[0-9]*/,
After adding the alias, reload all AppArmor profiles.
Christian,
Somehow i missed this earlier...
I had to revisit this, because
# grep apparmor /var/log/dpkg.log
2018-11-16 07:21:25 conffile /etc/apparmor.d/usr.bin.thunderbird install
re-broke things. (sigh, my workplace daily notices were throwing more
apparmor="DENIED" traps and leaving my message-pane blank.
(would be nice if there was a tool for the desktop to issue notifications in
these cases. maybe there is, but my lack of searching for it has amazingly not
revealed it! ;))
Seems that the latest thunderbird update should honor the aa-complain status of
my system.
Looking at : /var/lib/dpkg/info/thunderbird.postinst
I see some logic that looks like i should be using a "disable" link. That
seems like it would be different, however, than just setting it to 'complain' mode.
(I don't mind having it complaining and logging, but it's a lot more unfriendly
to just disable it on my part, or to re-enable enforcing when i am in complain
mode)
I dunno if i should file a bug report on that :-/ (i see that this bug is
still in 'thunderbird', and the apparmor file is dpkg-owned by thunderbird, so
maybe just consider this comment a bug report addition)
Anyway, i implemented your workaround. I may test it out with aa-enabled again
at some point just to make sure it's working.
thanks,
--stephen
