[apparmor] Rule to allow chmod-operations (or reduce dmesg suppression)

[Jonas Große Sundrup]

Hi,

my dmesg shows me the following output:

type=1400 audit(1617134745.962:4981): apparmor="DENIED"
operation="chmod" profile="/usr/lib/signal-desktop/signal-desktop"
name="/var/cache/fontconfig/" pid=246265 comm="signal-desktop"
requested_mask="w" denied_mask="w" fsuid=1000 ouid=0

What would be a rule allowing this chmod operation?

Right now I actually don't really care if the solution it's reasonable
or not, big hammer would also be fine, as I am currently investigating
why the entirety of the Electron-universe suddenly decides to die on me
with [0].

Hence I'm currently trying to write a very liberal profile to then lock
down again. However, I fail to write a rule that relieves me of the
warning above. I do have a 

/var/cache/fontconfig rw,
/var/cache/fontconfig/** rw,

in the profile I'm testing with, but that doesn't resolve it. Possibly
because it's a chmod-operation instead of an
open-operation? Which the core reference [1] says is currently not
supported/exposed?

That message is present 4 times, I doubt it's the root cause, but dmesg
is not voicing any other concerns besides "n callbacks suppressed", so
I'd like to get rid of it to uncover more messages as I haven't found
any other way of removing said suppression
(caused/reported by kauditd_printk_skb). If there is one that I haven't
found, that would be an alternative as well of course.


Can anyone help me out on this one, possibly?


Thanks very much,
Jonas


[0]
libGL error: MESA-LOADER: failed to retrieve device information
libGL error: Version 4 or later of flush extension not found
libGL error: failed to load driver: i915
Failed to generate minidump.zsh: segmentation fault (core dumped)

[1]
https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference