[apparmor] [profile] Firefox: DENIED "m" access to /home/user/.nv folder.

daniel curtis sidetripping at gmail.com
Sun Feb 5 18:26:58 UTC 2017 

Hi Seth

Today (based on your opinion, see 1.), I've added "lsb_release" child
profile to the Firefox existing profile. I had to make a few small changes, due
to the version of Python etc. Your "lsb_release" child contains - for
example - rule related to the python3.[0-4] version, which is not available
on my system and so on.

However, it seems that everything is okay. After adding "lsb_release" child
profile, using apparmor_parser(8) to load a "new" Firefox profile into the
kernel, restart AppArmor via '/etc/init.d/', there was not DENIED message
about "/usr/bin/lsb_release" and requested_mask="x" denied_mask="x", which
I saw earlier after every first Firefox start etc. (see 2.)

Anyway, could You check if "my" version of "lsb_release" child profile is
okay? Here it's:

/usr/bin/lsb_release Cxr -> lsb_release,
  profile lsb_release {
    #include <abstractions/base>
    #include <abstractions/python>
    /usr/bin/lsb_release r,
    /bin/dash ixr,
    /usr/bin/dpkg-query ixr,

    # THERE IS ONLY "python-2.7" FOLDER ON MY SYSTEM
    # USE JUST: "/usr/include/python2.7/pyconfig.h r," RULE?
    /usr/include/python2.[4567]/pyconfig.h r,

    /etc/lsb-release r,
    /etc/debian_version r,
    /var/lib/dpkg/** r,

    ##/usr/local/lib/python3.[0-4]/dist-packages/ r,
    # THERE IS "python-2.7" FOLDER ON MY SYSTEM. USE THIS:
    #/usr/local/lib/python2.[0-7]/dist-packages/ r,
    # OR THIS RULE? (FOR NOW, I'M USING THIS ONE):
    /usr/local/lib/python2.7/dist-packages/ r,

    /usr/bin/ r,

    # THERE ARE: "python python2 python2.7" ON MY SYSTEM
    # IT'S OKAY?
    /usr/bin/python2.[0-7] r,

    # file_inherit
    deny /tmp/gtalkplugin.log w,
  }

Once again; thank You very much Seth for all the help etc. Especially in
this case. Your example of "lsb_release" child profile, helped me a lot.
Really. Thanks. I hope, that "my" version is also okay :- )

Best regards.
_____________
1; https://lists.ubuntu.com/archives/apparmor/2017-January/010517.html
2; https://lists.ubuntu.com/archives/apparmor/2017-January/010506.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170205/f1b4440b/attachment.html>

More information about the AppArmor mailing list