Hi Mr Johansen
Thanks for the comprehensive answer. I understood
a lot of about AppArmor profiles etc., but there is still
more and more to learning. I do not know if I manage with
this - profile creations. Anyway, I will try. There is so many
documentation about AppArmor, right? That's all what
Hi. As we know, default Firefox profile contains something like this;
,-[ Default profile allows (...) ]
| owner @{HOME}/ r,
| owner @{HOME}/Public/ r,
| owner @{HOME}/Public/* r,
| owner @{HOME}/Download/ r,
| owner @{HOME}/Download/* rw,
`-
Default profile allows downloads to
Hi Mr Arnold
Luckily everything seems to be fine - no problems
with e.g. screen resolutions, accelerated rendering
of 3D graphics or interconversion of video file formats.
So, I will leave it as it is.
Thanks.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
Hi
I would like to ask what happened with the *lightdm-guest-session *
profile from */etc/apparmor.d/* directory? If I remember correctly,
this profile contains a lot of policies, rules etc. Now it looks like
this:
# vim:syntax=apparmor
# Profile for restricting lightdm guest session
#include
Hi Mr Jamie,
So everything is fine with lightdm-guest-session and it is
normal that it contains only a few lines? I do not have to
change anything? Guest account is still well protected by
AppArmor? Sorry, I had doubts when it comes to the guest
account protection etc.
One more thing mr Jamie.
Hi Mr Seth,
Thank you, for providing me an information, about a guest
account protections. Generally, I mean a confirmation, that
this account is well protected. Anyway, I was just freaking out
about a default 'lightdm-guest-session' profile and that - for me -
it seems empty. So I was thinking,
Hi Christian,
So, if "c" means create file/directory then if AppArmor audit
entries (for example from log files etc.) contains something like
this:
operation="mkdir", requested_mask="c", denied_mask="c"
Then, rule in an AppArmor application profile should look like:
/home/user/.app/ w,
Am I
Hi John.
Okay, now it is more understandable. I will try to modify my
AppArmor profile and see what's going to happen etc. If I will
have any problems or questions, I will write a message.
You asked what I am trying to achieve with my policy. So, I just
want to make a profile for a
Hello.
Some time ago, I've decided to create a profile for the 'plugin-container'
process to make a Firefox web browser even more secure. Everything seems to
work okay. I've managed to "solve" the DENIED messages/entries from a
system log files, such as e.g. '/var/log/kern.log' etc.
Anyway,
Hello.
I'm trying to create/write a profile for a transmission-gtk application.
Everything seems to work okay, but there is a couple of things which
creates a DENIED messages in a log files (e.g. /var/log/kern.log) etc.
Firstly, I would like to ask about 'requested_mask' and 'denied_mask' with
Hello.
Yes Jamie, You're right: 'uuid' is root owned and there is a denied entry
with 'fsuid=1000, ouid=0' in a log file (e.g. '/var/log/syslog'). So, I
will try to remove 'owner' and see what happens. But it is not more secure
with the 'owner' option?
Seth, You wrote that "the 'owner' modifier
Hello Mr Strandboge.
Okay, thank You for an explanation. Now it's more clear. And what about
'~/Private' directory? Should I allow transmission-gtk to access ("rw")
such location? It seems to be pretty important place (I mean from a
security point of view).
Anyway, thanks for all suggestions,
Hello Seth.
>> Correct, the 'c' means 'create' (...) The user-friendly tools convert
>> the 'c' to 'w' permission.
Okay, thank You for the explanation. So, a rule mentioned by me should be
enough? (I mean: 'owner $HOME/.cache/dconf/user rw,') If 'c' mean
'create', then 'rw' access should be
Hi Simon.
Yes, I've noticed an "official" PulseAudio profile (I even use this profile
as a source etc.), but there is one thing, which seems to be important:
lacks of some directories, files, that are included, as rules, in an
"official" profile. I've mentioned about it in my first mail. An
Hi Seth
>> Yes, this looks like a good addition to your logrotate profile.
Okay, added. Thank You very, very much. I hope, that Christian will take
into account all these rules and will update the logrotate profile ;- )
Best regards.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify
Hi Seth
>> Don't forget that 12.04 LTS runs out of support in about two
>> months (...)
Yes, I remember about this and preparing to do an update. Of course, after
an update, I will change python3 rules etc., so it will be matching to the
updated - system - version. Seth, thanks for viewing this
Hi
Today, I noticed a new entries related to the logrotate profile. System was
slowing down, two files - '/var/log/kern.log' and '/var/log/syslog' - were
empty so I checked '/var/log/kern.log.1' file and there was something like
this:
Feb 5 11:34:52 t4 kernel: [ 1859.724491] type=1400
Hi Seth
Today (based on your opinion, see 1.), I've added "lsb_release" child
profile to the Firefox existing profile. I had to make a few small changes, due
to the version of Python etc. Your "lsb_release" child contains - for
example - rule related to the python3.[0-4] version, which is not
Hi Seth
Thank You for helping me and for explanation. I'm thinking about three ways
to handle the whole situation;
1) add "lsb_release" child profile (which You provided) to my Firefox
profile and of course make it works on my system etc.,
2) ignore the whole thing - I mean DENIED entry in the
Hi
On Wed Jan 11, I've sent the first message to this list describing a
problem with Firefox and plugin-container crash etc. Adding one rule to the
Firefox profile were considered as a solution to the problem. It was
something like this one:
owner @{PROC}/[0-9]*/task/* r,
But; on Jan 24.,
Hi Seth
First of; I'm sorry for such a long time without answer, but I was doing
some tests; over and over again. I mean WebGL issue and AppArmor DENIED
messages for "/home/user/.nv/" folder etc.
First things first; a few months ago, I've decided to disable WebGL, in
order to reduce some attack
Hi Seth
It seems, that adding "owner @{HOME}/.nv/gl* rwm," rule to the
file and use nvidia abstractions (included in the
Firefox profile) helped. Now, after every Firefox start there isn't any
DENIED entry related to the ".nv" folder (I mean in log files such as
'/var/log/kern.log' or
Hi
Unfortunately, after Firefox update to the 51.0.1 version, there are still
a new ones DENIED messages in the log files (I've tried to restart Firefox
several times and the result was the same all the time);
Jan 27 17:04:56 t4 kernel: [16012.980569] type=1400
audit(1485533096.203:54):
Hi Seth
I'm a little tired, so; to be one hundred percent sure and to avoid mistakes
etc. I have to:
* add "owner @{HOME}/.nv/gl* rwm," to the file (even
if there are already some rules, right?) It can be added at the very end of
the file? (Geez - such naive question.)
* edit Firefox profile
Hi
Today I've noticed a strange thing - new DENIED entries, related to the
logrotate, in log files such as '/var/log/kern.log' and '/var/log/syslog'.
Honestly, I wonder why these entries have appeared after such a long time.
I thought, that a profile for logrotate has been updated properly.
I'm sorry for a double messages, but I didn't noticed one entry:
"/etc/rcS.d/". So, now my proposition for a new rules is:
/etc/rc2.d/ r,
/etc/rc2.d/* r,
/etc/rcS.d/ r,
/etc/rcS.d/* r,
/usr/bin/xargs mrix,
What do you think - is it okay?
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Hi Seth
In my case, the use of the guest account is not something that happen very
often and if it's already happening then it does not takes too long; I
think, less than an hour. It's good to know, that it's nothing bad (I mean
log entries etc.) and can be silenced by adding "deny" to these
Hi Seth
Thanks for an answer. Now, I know what to do ;- ) Best regards.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Hi
I'd noticed, that after login as a guest and after taking some typical
operations, such as, web browsing with newest Firefox 51.0.1 release etc.,
system log files - for example - '/var/log/kern.log' and '/var/log/syslog'
contains "DENIED" entries. Here they are:
* /var/log/kern.log file:
Feb
Hi
On Wed, Jan 18 there was an update for the nvidia-graphics-driver package
[1]. Now, after first Firefox starting - for example - via clicking on an
icon, there are such entry in log files:
Jan 19 11:37:46 t4 kernel: [ 202.713770] type=1400
audit(1484822266.943:53): apparmor="DENIED"
Hi Seth
There are some rules, which are confusing me. I would like to ask You about
them etc. So, here they are:
## tha lack of "/"?
@{PROC} r,
## Isn't the same thing?
@{PROC}/*/fd/ r,
@{PROC}/[0-9]*/fd r,
What do You think; what is your opinion? I've removed an "owner" prefix
from these
Hi Seth
Yes, I thnik you're right. But I just wanted to notice this problem,
because of no result "aa-unconfined" utility. The latest Linux kernel
version, which is used in 12.04 LTS Release is 3.2.86, while "Precise" is
still at 3.2.79 level. Anyway, according to the kernel mailing list the
Hi,
Today I've noticed - in log files - some AppArmor entries related to the
/etc/cron.daily/logrotate profile. I would like to ask about rules, which I
should add to this profile. And here are messages from /var/log/kern.log
and /var/log/syslog files (I omitted some info, like date, paretn=
Hi Seth,
Thanks for an answer. So these are rules, which I should add to the
/etc/cron.daily/logrotate profile, right?
/var/lib/logrotate/ r,
/var/lib/logrotate/status.clean w, ## NOTE: in my system there is no such
file - there is only 'status'
/bin/sed mixr,
/bin/mv mixr,
Hello Seth,
Okay, thanks for an informations. Should I add some rule to the Firefox
profile? I mean: "/proc/*/net/arp" or leave it as is? Honestly, Firefox
works normally and I saw this "DENIED" message for the first time.
Best regards.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify
Hi Seth,
No, I haven't installed any program etc., that try to 'correct' system
security and so on (not to mention security updates etc.) Strange. But...
chown(1) command (which you provided) and system restart seems to help - I
can open these files as a normal user and permission via ls(1)
Hi Seth,
>> I forgot to mention that "normal user" is a bit of a misnomer (...)
In my case it was the first user created during system install. (A member
of - among others - "adm" group etc.) And I could not open these files,
because of "permission denied" messages. Of course, as I mentioned
Hello Seth,
Thank you very much for an answer. Listen: something strange happened with
two files from /var/log/ directory: kern.log and syslog. I can not open
them (as always) as a normal user - I'm getting "permission denied"
message. There is also a little 'x' on an icons.
Something changed
Hello
Sorry for a double message, but maybe the whole thing is related with a
Firefox e10s - Electrolysis? Now, it's enabled (checked via
'about:support', "Multiprocess Windows" entry), but earlier it wasn't (ver.
49.0). If it's a clue, maybe Firefox profile will need some changes?
Multiprocess
Hi
Today I've had a problem with a Firefox ver 50.0. (Yesterday everything was
okay). None of the website was loaded, even when www address was entered by
me - nothing was displayed. Some of the websites, for example, duckduck.go
were... black. There was so many (about 50 and more) entries in the
Hi Christian
There is some problem with reloading Firefox profile and restarting
AppArmor (e.g. via /etc/init.d/). It seems, that responsible is one rule:
@{PROC}/@{pids}/net/arp r,
This is a rule proposed by you. Here's what happens:
[~]$ sudo apparmor_parser -r
Hi Simon
Thanks for an answer. I would like to ask if AppArmor version:
2.7.102-0ubuntu3.10 is sufficient for entries mentioned/added by you to the
"local/usr.bin.firefox" file? I'm asking because of e.g.:
dbus receive
bus=session
path=/org/gtk/Private/RemoteVolumeMonitor
Hi Christian
>> Maybe you should use abstractions/nvidia instead of adding
>> access to /dev/nvidiactl to the firefox profile.
True, maybe you're right. I'm using a default Firefox profile (with one
rule added: @{PROC}/@{pid}/net/arp r,). If it's about nvidiactl - I've
never had any problems
Hi Christian
Yes, you're right - my profile is based on a logrotate profile, which can
be found here [1]. But, as you probably noticed, I've had to add a couple
rules - for example - /bin/dash and capabilities etc.
Of course I can send a patch or even the whole profile (I think it can be
better,
Hi Seth,
Thank You once again for all your help. I really appreciate it. So if it's
about a logrotate profile: each mentioned rule seems to be okay and I can
use them. Additionally, I should add a capabilities (capability
dac_override and capability dac_read_search) but not use 'owner' with
Hi Seth
Sorry for such a long time without answer, but I'm so busy. You wrote
something interesting:
>> If you want Firefox to work as designed but limit the scope
>> of damage if it's attacked... you should allow the arp lookups
So if AppArmor DENIED /proc/2496/net/arp (requested_mask="r"
Hi Seth
>> this rule should be sufficient to allow firefox's new netid
>> feature to work.
Okay, thank you. I've noticed such AppArmor entries in log files after
Firefox update to 49.0.2 version. I haven't seen them before. So, maybe
such rule could/should be added to an official Firefox
Hello
I'm sorry for writing so many messages, but I've done a mistake: "rw"
access was related to /dev/nvidiactl not arp! So the correct rule looks this
way:
@{PROC}/@{pid}/net/arp r,
I'm sorry once again - I'm so busy right now and I don't notice some
obvious things.
Cheers.
--
AppArmor
Hi
I would like to ask a question about capability that should be used
according to this yesterday log message:
Nov 20 12:46:39 t4 kernel: [ 1603.727849] type=1400
audit(1479642399.936:90): apparmor="DENIED" operation="capable" parent=3192
profile="/etc/cron.daily/logrotate" pid=3197
Hello
I'm so sorry for a messages write one by one, but I think that it's pretty
important. So, according to log entries from my previous message (logs
related to changed two files permissions etc.) a new rules should/could
looks like:
## BECAUSE OF: requested_mask="x" denied_mask="x"
Hi Seth and Christian
Today I've decided to test logrotate profile (before send a patch) once
again. After creating profile, put in enforce mode (via 'aa-enforce'
command) I've noticed that permission for two files form the /var/log/
directory was changed. (The same situation as before). I've
Hi Jonh
>> if you aren't using ipv6 you should be able to drop them
Okay, so I will remove them. And what about rules according to, for
example, '@{PROC}/[0-9]*/fd'? Should I use an 'owner' with these rules? I
mean:
@{PROC}/*/fd/ r,
@{PROC}/[0-9]*/fd r,
@{PROC}/net r,
@{PROC}/net/* r,
And so
Hi Seth
Yes advices too, but You helped me a lot with this profile. Anyway, today,
after reload the logrotate profile, I've noticed in log file;
/var/log/kern.log something like this:
Dec 9 12:44:03 t4 kernel: [ 1899.771574] type=1400
audit(1481283842.997:46): apparmor="DENIED"
Hi Seth
>> 'capability fsetid' is perhaps the more unfortunate one
>> I'm not sure why it would be needed. (...)
OK, I understand it. But 'capability fsetid' is needed, right? Even if
you're not sure why it is needed.
Best regards.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify
Hi
Since Firefox has been updated to the version 49/50 and since e10s is
enabled - "the two major advantages of this model are security and
performance. Security improvements are accomplished through security
sandboxing (...)" etc. - I've noticed, that 'apparmor_status' command shows
two
Hello Seth
What can I write? Thank You once again for an answers. It's very valuable
and I'm always learn something new. OK - I will ignore blueprints ;- )
Thank You very much. Best regards.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
Hi
Today, I've noticed that two files from /var/log/ directory: kern.log and
syslog were empty - nothing logged (0 bytes) and another two: kern.log.1
and syslog.1 - with logged messages. Strange. I decided to check, for
example, kern.log.1 file and see whats happened. Here's what I've found:
Dec
Hi Seth
Thank for an answer. True, all of this is pretty strange - not to mention,
for example, changed files permissions etc. Anyway, for now I should add:
/sbin/initctl Ux,
/sbin/runlevel Ux,
And the last two rules are OK, right? I mean:
capability fsetid,
/etc/lsb-base-logging.sh r,
If
Hi Seth
>> I've thought about it a bit more (...)
Thank You for taking the time and the clarification. Okay: I'll use these
rules, but without 'owner' prefix. I hope that's all. Thanks once again!
Best regards.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe
Hi Seth
>> I'm sorry for the bad advice (...)
No problem, really ;- )
>> Please file the bug report against the firefox source package (...)
Okay, I'll file the bug against Firefox describing "/proc/*/task/" issues
etc. Should I also describe plugin-container segfault? I think, that both
Hi
Today, after a couple hours of using Firefox (mostly YouTube and some
websites), suddenly browser closed unexpectedly (not by my action) and a
dialog box appeared related to Mozilla Crash Reporter; there was a message,
that reporter is disabled (which I did earlier - about a month ago) and no
Hello
Some time ago - generally last year - I'd asked a question about netstat(8)
and its AppArmor profile [1], which contains rules related to the IPv6
protocol, such as:
owner @{PROC}/*/net/tcp6 r,
owner @{PROC}/*/net/udp6 r,
owner @{PROC}/*/net/raw6 r,
For now, I'm not using this protocol,
Hi Seth
>> If you would please report back the success or failure of adding...
Okay, I'll add this rule (related to "@{PROC}/*/task/") to the Firefox
profile, restart AppArmor and see what will happen. But, there is one
problem - with rule provided by You. I mean:
owner @{PROC}/@{PID}/task/ r,
Hi Seth
Once again; thank You very much for all the help with updating the
logrotate profile. The version on which profile is based, was pretty
outdated, right? Honestly, I had no idea, that we will need to add so many
rules, capabilities and so on. :- )
Christian, I would like to thank You for
Hi Simon
Thanks for an answers. So, if I will remove all dbus related entries - and
leave all the rest - everything should be OK, right? Of course I'm planning
to update 12.04 LTS to a more recent release; I'm preparing to this
operation :- )
And what about this rule - can I add this one to the
Hi Christian
>> This is the usual review policy for AppArmor (...)
>> Maybe you heard about usrMerge
OK, thanks for explanations. It is logical. Yes, I've read about usrMerge -
but it was a long time ago. If I remember correctly, it was on Fedora
project website.
Anyway, I would like to ask
Hi Christian
I've one more question, regarding to your updates to the logrotate profile.
During my testing, it turned out that logrotate wants access to /bin/dash -
command interpreter. So, with help from Seth, I've used 'mrix' access.
But in your updated version (see 1.) I don't see that rule;
Hi John
Thanks for an answer and explanation. I've created a bug report, because
you have written, that: "A bug would be good, I'll try fixing it soon and
will need a bug to reference when I push the fix". Please see [1].
Anyway, I should add a rule mentioned by me in a Launchpad bug report,
Hi
Today, I've noticed one DENIED entry in a log files, such as
/var/log/kern.log etc. It was a little surprising, because I did not saw any
log entry - related to Firefox - for a long time. Anyway, it looks this
way:
Dec 31 20:55:10 t4 kernel: [12559.645813] type=1400
audit(1483214110.873:46):
Hello
OK, so - in such situation - I will use something like this one:
owner @{PROC}/[0-9]*/net/tcp r,
Thanks once again, John. Best regards.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Hi Christian
Thank you once again for review etc. Honestly, I'm using logrotate profile
with your changes: without /tmp directory or @{PROC} rules and everything
seems to work OK :- ) But it will be better to wait for someone else.
This is with reference to your words: "Since nobody reviewed the
Hi
Please, forgive me that I'm writing message, one by one, but I've decided
to test logrotate profile without rules for a /tmp directory. Honestly;
I've never saw such files: logrot* or file* etc. So, I removed them, reload
logrotate profile (via apparmor_parser(8) utility) and AppArmor (via
#Copyright (C) 2016 Daniel Curtis
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General
# License published by the Free Software Foundation.
#
# --
#include
Hi Christian
Thank you very much for an explanation about missing / and also SubDomain
thing etc. It was very helpful - I learned something new today :- )
Also, thanks for taking your time to check a logrotate profile, remove some
rules, my comments and so on. Now, I'm sure that profile is
Hi Seth
>> I also don't know what tools would exist in 12.04 LTS
>> that would make it easier to investigate this issue (...)
So I have to add '1' to the /sys/module/apparmor/parameters/logsyscall,
right? OK, but in 12.04 LTS value for this one is: N
[~]$ sudo cat
Hello Seth
First of: thank You very much for an answer :- )
>> This is fine, I expect abiword is using the getpwuid(3) family
>> of APIs to find the home directory.
OK, so I will allow "r" access for these two files ('/etc/nsswitch.conf'
and '/etc/passwd'.) If it's about ecryptfs - I've tried
Hi
A couple of months ago, I've created a working AbiWord profile (till now,
there is not any DENIED entries in log files, such as '/var/log/kern.log')
and, of course, I've done some tests: change font size, background color,
bolding, instering table etc.) The one problem, which I'm seeing for
Hi Seth,
Okay, I see. Thank You very much for an answer - as always very good and
valuable ;- )
Best regards.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Hi
I'm sorry - I've sent this message by accident. It should be: "ubuntu-
hardened" mailing list, not here.
Best regards.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Hello
Some weeks ago, about a month ago I've decided to enable OpenGL in Firefox
via 'about:config' and so on. (There are several guides available on the
internet.) I've done this just for testing purposes etc.
Anyway, everything went OK; under the "Graphics" section and "Compositing"
there was
Hi
At the end of last year, Mr Christian Boltz has updated logrotate profile
(with 'UsrMerge' etc.) and pasted it here:
https://lists.ubuntu.com/archives/apparmor/2016-December/010420.html
In the meantime, several rules have appeared - simply as a DENIED entries
in a log files. Generally, it
Hi
Continuing my first message about netstat(8) profile [1] - here, on this
mailing list - and many "target=*" entries, I would like to write another
one example of a problem with netstat(8) and probably: "-p" option along
with "capability sys_ptrace" etc.
Today, I've noticed a pretty strange
Hello
A few days ago, I installed 16.04 LTS Release (mostly for making a various
tests etc.) This is an old i386 computer, so I decided to use XFCE Desktop
Environment. Let's get to the main part of the message.
Yesterday, I created a (working) profile for a xfce4-dict, which is a
client program
Hello all.
A couple of days ago, I decided to test '/etc/cron.daily/logrotate'
profile, to see how it will be working on 16.04 LTS Release, because all
the work was done a few months ago, but on "Precise Pangolin."
Anyway, everything seemed to be fine, until I've noticed some problems with
logs:
Hello
Yesterday, I've created a profile for Audacious v3.6.2-2. Everything is
working as expected. However, there are two issues, which wonders me. This
profile was created with a very helpful profile generation utility for
AppArmor; aa-genprof(8). After answering some questions about profile, I
Hello
Today I've noticed, that 'usr.sbin.userdel' profile, found in
/usr/share/doc/apparmor-profiles/extras/ folder, seems to be not very
"compatible" with *ubuntu (in this case 16.04 LTS Release.) Now, I'll
explain what I mean.
'usr.sbin.userdel' profile contains two rules, related to
Hi Seth
First of: I would like to thank You very, very much for your patience. I
know, that my questions can be very annoying etc. You are very amazing
person. Thanks.
>> Feel free to ignore the audacious2 line -- after all the
>> executable doesn't exist on your system.
Yes, you're right, but
Hello
>> We attemp to make the profiles cross-distro compatible (...)
Yes, it's pretty obvious and I will remember about this. For sure ;- )
Thank you for an answer.
By the way; Christian could You take a look on the logrotate e-mail? (See
below.) I've asked about a couple of rules etc. I would
Hi Seth
>> I think I'd add the 'deny' rules. I don't know why an audio
>> player needs this and if it breaks the audio player, I'd pick a
>> player different.
OK. As I wrote in my first message, I'd removed this rule and Audacious
works normally - no issues, just these logs entries. In that
Hi
It seems, that these problems are solved. I've added these rules to the
Firefox profile:
dbus (send)
bus=session
interface=org.gtk.vfs.MountTracker,
# member=ListMountableInfo,
dbus (send)
bus=system
interface=org.freedesktop.UPower,
By the way; I found
Hello Mr Johansen
Thank You very much for a exhaustive answer. Now, I understand this issue
more. However, You wrote:
>> Unfortunately these policy rules are not compatible with
>> the version of apparmor in 12.04, unless you update 12.04
>> to a new apparmor userspace that can support them
Hi
A couple days ago, I've noticed DENIED entries related with Thunderbird.
They appeared after trying to configure an email address etc. However, it
seems that two of them are already included in Thunderbird profile [1].
/etc/xfce4/defaults.list r,
owner /run/user/[0-9]*/dconf/user rw,
If it's
Hello Seth
First of; thank You very much for an answer. I think you're right when it's
about: "idea to prevent the guest user from having too much influence on
the system(...)" I agree with You completely. And that was the main reason
why I was asking, whether to do something with these DENIED
Hello
Today, after using a guest account, I noticed a couple of DENIED entries in
log files. They are related with "/usr/lib/lightdm/lightdm-guest-session"
profile. I would like to ask; should I do something with this? For example;
add needed rules etc., or leave as is? Everything seems to work
Hello Seth
Thank You for an answer. I will use ; just as you
suggested.
Best regards,
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Hello
Last year I've created an AppArmor profile for Parole application. However,
it was done on the 12.04 LTS Release, which is in EoL status now. After
fresh 16.04 LTS installation and checking log files for any new
DENIED/ALLOWED entries (Parole was in a "complain" mode), I was surprised
that
Hello Seth
Thank You for an answers. I understood many things, thanks to You. I
appreciate it, really.
First thing; if it's about 'xdg-screensaver' issues etc.; You've written,
that if I "don't trust data being supplied to Parole" then I should,
probably, prefer/use the 'Px' rule instead of
Hello Seth
>> Hi Daniel, thanks :) This is wonderful to hear.
But that's a pure true. Thanks to You and your answers I understand many
things related to AppArmor etc. Once again; thank You very, very much :- )
>> I'm sorry -- left unsaid with "Switch to Px" is also
>> "write a profile for
Hello
Last year, running 12.04 LTS Release, I noticed some problems with
netstat(8) utility. It turned out, that the 'p' option is responsible for
many DENIED entries in log files etc. [1] This option "show the PID and
name of the program to which each socket belongs".
However, Mr John Johansen
Hello Seth,
Thank You very much for an answers and explanations. I really appreciate
it; your help and so on :- ) I will try to take your suggestions and to do
something with these entries etc.
However, there is one more DENIED entry - I saw this one today, after first
Firefox start. It looks
1 - 100 of 124 matches
Mail list logo