In particular, I see: [ 1212.557101] type=1400 audit(1319105597.357:25): apparmor="DENIED" operation="capable" parent=12004 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" pid=12005 comm="fusermount" capability=1 capname="dac_override" [ 1212.557110] type=1400 audit(1319105597.357:26): apparmor="DENIED" operation="capable" parent=12004 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" pid=12005 comm="fusermount" capability=2 capname="dac_read_search"
That's something that we really don't want to grant, and we should just hide the message. [ 1212.589250] type=1400 audit(1319105597.389:27): apparmor="DENIED" operation="open" parent=11955 profile="/usr/lib/lightdm/lightdm-guest- session-wrapper" name="/proc/12009/status" pid=12009 comm="gnome- keyring-d" requested_mask="r" denied_mask="r" fsuid=118 ouid=0 (for a few more PIDs, too). None of these PIDs exist any more after starting the session; the profile allows the guest session to look into /proc directories for processes which are owned by guest, nothing else. So these processes should belong to some other owners. However, I notice that e. g. seahorse complains about not being able to connect to the keyring, so apparently something needs fixing here. [ 1213.832400] type=1400 audit(1319105598.637:32): apparmor="DENIED" operation="open" parent=12039 profile="/usr/lib/lightdm/lightdm-guest- session-wrapper" name="/proc/2/stat" pid=12073 comm="killall" requested_mask="r" denied_mask="r" fsuid=118 ouid=0 This error message seems harmless. [ 1228.269177] type=1400 audit(1319105613.097:210): apparmor="DENIED" operation="open" parent=12218 profile="/usr/lib/lightdm/lightdm-guest- session-wrapper" name="/lib64/" pid=12219 comm="whereis" requested_mask="r" denied_mask="r" fsuid=118 ouid=0 We can allow reading/mapping /lib64, I'll add that. [ 1243.784831] type=1400 audit(1319105628.641:211): apparmor="DENIED" operation="mknod" parent=11955 profile="/usr/lib/lightdm/lightdm-guest- session-wrapper" name="/usr/share/system-config-printer/debug.pyc" pid=12365 comm="applet.py" requested_mask="c" denied_mask="c" fsuid=118 ouid=118 mknod sounds like a no-no. s-c-p should have no business doing this. I'll hide the AA error. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/877736 Title: the guest account apparmor profile blocks things that seem useful To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/877736/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
