Quote Originally Posted by MiniT View Post
Tht means the firefox or transmission or samba critter may have a user account of sorts in a group of some kind - and defined limits therof.
It's actually not important what the user account is until you look at rules that have the "owner" directive or use the "@{HOME}" expansion.

Quote Originally Posted by MiniT View Post
What I don't get is why I can Save Page As . . . and see - pretty much anything. Maybe even save to most sensitive areas - by default?
AppArmor may (for various reasons) allow you to view areas even if you can't save there. In the default Firefox profile, at least as I have it, Firefox only has write access to ~/Downloads/, ~/.config/ibus/bus/ and ~/.gnome2/firefox*-bin-*. But, it has read access to the home directory and to ~/Public/. So under that profile, if you use Save As in Firefox, you could go into ~/Public/ and view what's there, but you would get an error if you actually tried to save there. Are you experiencing something different? Post your whole profile if you are, we can look at it and try to figure it out.

Quote Originally Posted by MiniT View Post
What if I start iwth a profile that basically says :
audit deny / mrwkl # or anything else goshdarnit
That probably won't work quite as well as you think and would lead to a much larger profile than is necessary What's in the default Firefox profile, which is "/ r", is a good starting point.