Re: AppArmor Support Thread
Quote:
Originally Posted by
vasa1
My question is this: have other people seen the same type of "denied" message when confining Firefox and using the default profile? If they have, how did they deal with it? If the rule I used is the way to go, will the devs consider incorporating it in the main profile (/etc/apparmor.d/usr.bin.firefox) so that the profile is more usable out of the box?
Needless to say, with the current profile I checked that I can use Firefox, my extensions (Stylish, DOM Inspector, DownThemAll, SimpleBlock) and plug-ins (Flash and IcedTea) without any problems.
Apparmor makes fair amount of noise in your logs.
It is then up to you to monitor you logs and decide what to do.
The questions to ask yourself is:
1. Is the application working ? Does the application need to access the resource ?
2. Would you prefer your application to have minimal access and make a lot of noise in your logs ?
Or do you prefer to give your application full access to all "normal" activities and log only when there is unexpected behavior ?
So, after answering those questions you can decide.
If your application is broken, you need to fix it.
If the application is working, and you do not mind noise in the logs or you do not wish to monitor your logs, you do not need to do anything.
If your application is working, and you wish to monitory your logs, then yes you will need to evaluate and address this noise. Is it a "false positive" ? If so correct the profile.
Note: It is not a false positive until you have investigated the log and determined that the access that was denied is both normal and acceptable to you.
As you might imagine, only you can decide how you wish to manage apparmor.
Firefox is a poor example as it is a large and complex program, and many people use it for many things, so it requires fairly extensive system access.
Start with a smaller application and work up to firefox.
Re: AppArmor Support Thread
The following lines appears in syslog when I load the Java applet for my home banking. I have tried to add the line "owner @{HOME}/.mozilla/firefox/profiles.ini r," to both "/etc/apparmor.d/usr.bin.firefox" and "/etc/apparmor.d/abstractions/ubuntu-browsers.d/java", just to get started solving the problem, but this doesn't do anything as profiles.ini still cannot be read.
Code:
apparmor="DENIED" operation="open" parent=3018 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}//browser_openjdk" name="/home/gwrt78/.mozilla/firefox/profiles.ini" pid=3063 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
apparmor="DENIED" operation="open" parent=3018 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}//browser_openjdk" name="/dev/random" pid=3115 comm="java" requested_mask="ac" denied_mask="ac" fsuid=1000 ouid=0
apparmor="DENIED" operation="open" parent=3018 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}//browser_openjdk" name="/" pid=3121 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Any suggestions on to what file I should add the line?
Re: AppArmor Support Thread
Forgive me necromancy, but this is the core of the question actually - why most topics dealing with apparmor went dead? No new profiles, less and less answers - is apparmor being abandoned - any other better solution came up?
Re: AppArmor Support Thread
There used to be a sharing of profiles. But ubuntu comes with default profiles, which are in dev.
Re: AppArmor Support Thread
Thread closed. Please do not post in old threads.