In particular, I see: [ 1212.557101] type=1400 audit(1319105597.357:25): apparmor="DENIED" operation="capable" parent=12004 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" pid=12005 comm="fusermount" capability=1 capname="dac_override" [ 1212.557110] type=1400 audit(1319105597.357:26): apparmor="DENIED" operation="capable" parent=12004 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" pid=12005 comm="fusermount" capability=2 capname="dac_read_search"
That's something that we really don't want to grant, and we should just hide the message. [ 1212.589250] type=1400 audit(1319105597.389:27): apparmor="DENIED" operation="open" parent=11955 profile="/usr/lib/lightdm/lightdm-guest- session-wrapper" name="/proc/12009/status" pid=12009 comm="gnome- keyring-d" requested_mask="r" denied_mask="r" fsuid=118 ouid=0 (for a few more PIDs, too). None of these PIDs exist any more after starting the session; the profile allows the guest session to look into /proc directories for processes which are owned by guest, nothing else. So these processes should belong to some other owners. However, I notice that e. g. seahorse complains about not being able to connect to the keyring, so apparently something needs fixing here. [ 1213.832400] type=1400 audit(1319105598.637:32): apparmor="DENIED" operation="open" parent=12039 profile="/usr/lib/lightdm/lightdm-guest- session-wrapper" name="/proc/2/stat" pid=12073 comm="killall" requested_mask="r" denied_mask="r" fsuid=118 ouid=0 This error message seems harmless. [ 1228.269177] type=1400 audit(1319105613.097:210): apparmor="DENIED" operation="open" parent=12218 profile="/usr/lib/lightdm/lightdm-guest- session-wrapper" name="/lib64/" pid=12219 comm="whereis" requested_mask="r" denied_mask="r" fsuid=118 ouid=0 We can allow reading/mapping /lib64, I'll add that. [ 1243.784831] type=1400 audit(1319105628.641:211): apparmor="DENIED" operation="mknod" parent=11955 profile="/usr/lib/lightdm/lightdm-guest- session-wrapper" name="/usr/share/system-config-printer/debug.pyc" pid=12365 comm="applet.py" requested_mask="c" denied_mask="c" fsuid=118 ouid=118 mknod sounds like a no-no. s-c-p should have no business doing this. I'll hide the AA error. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/877736 Title: the guest account apparmor profile blocks things that seem useful Status in “lightdm” package in Ubuntu: Triaged Bug description: The Oneiric apparmor profile generates quite some syslog noise including warning about: gwibber unity upgrade scripts fusermount (gvfs?) gnome-keyring system-config-printer debug Is that wanted or is the profile too restrictive and should allow at least some of those uses? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/877736/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
