Page 19 of 19 FirstFirst ... 9171819
Results 181 to 185 of 185

Thread: AppArmor Support Thread

  1. #181
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: AppArmor Support Thread

    Quote Originally Posted by vasa1 View Post
    My question is this: have other people seen the same type of "denied" message when confining Firefox and using the default profile? If they have, how did they deal with it? If the rule I used is the way to go, will the devs consider incorporating it in the main profile (/etc/apparmor.d/usr.bin.firefox) so that the profile is more usable out of the box?

    Needless to say, with the current profile I checked that I can use Firefox, my extensions (Stylish, DOM Inspector, DownThemAll, SimpleBlock) and plug-ins (Flash and IcedTea) without any problems.
    Apparmor makes fair amount of noise in your logs.

    It is then up to you to monitor you logs and decide what to do.

    The questions to ask yourself is:

    1. Is the application working ? Does the application need to access the resource ?

    2. Would you prefer your application to have minimal access and make a lot of noise in your logs ?

    Or do you prefer to give your application full access to all "normal" activities and log only when there is unexpected behavior ?

    So, after answering those questions you can decide.

    If your application is broken, you need to fix it.

    If the application is working, and you do not mind noise in the logs or you do not wish to monitor your logs, you do not need to do anything.

    If your application is working, and you wish to monitory your logs, then yes you will need to evaluate and address this noise. Is it a "false positive" ? If so correct the profile.

    Note: It is not a false positive until you have investigated the log and determined that the access that was denied is both normal and acceptable to you.

    As you might imagine, only you can decide how you wish to manage apparmor.

    Firefox is a poor example as it is a large and complex program, and many people use it for many things, so it requires fairly extensive system access.

    Start with a smaller application and work up to firefox.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  2. #182
    Join Date
    Nov 2011
    Beans
    1

    Re: AppArmor Support Thread

    The following lines appears in syslog when I load the Java applet for my home banking. I have tried to add the line "owner @{HOME}/.mozilla/firefox/profiles.ini r," to both "/etc/apparmor.d/usr.bin.firefox" and "/etc/apparmor.d/abstractions/ubuntu-browsers.d/java", just to get started solving the problem, but this doesn't do anything as profiles.ini still cannot be read.

    Code:
    apparmor="DENIED" operation="open" parent=3018 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}//browser_openjdk" name="/home/gwrt78/.mozilla/firefox/profiles.ini" pid=3063 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
    apparmor="DENIED" operation="open" parent=3018 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}//browser_openjdk" name="/dev/random" pid=3115 comm="java" requested_mask="ac" denied_mask="ac" fsuid=1000 ouid=0
    apparmor="DENIED" operation="open" parent=3018 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}//browser_openjdk" name="/" pid=3121 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Any suggestions on to what file I should add the line?

  3. #183
    Join Date
    Feb 2010
    Location
    UK
    Beans
    128
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: AppArmor Support Thread

    Forgive me necromancy, but this is the core of the question actually - why most topics dealing with apparmor went dead? No new profiles, less and less answers - is apparmor being abandoned - any other better solution came up?

  4. #184
    Soul-Sing is offline Chocolate-Covered Ubuntu Beans
    Join Date
    Aug 2006
    Beans
    1,374
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: AppArmor Support Thread

    There used to be a sharing of profiles. But ubuntu comes with default profiles, which are in dev.

  5. #185
    Join Date
    Feb 2008
    Location
    Texas
    Beans
    29,807
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: AppArmor Support Thread

    Thread closed. Please do not post in old threads.

Page 19 of 19 FirstFirst ... 9171819

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •