Quote Originally Posted by vasa1 View Post
My question is this: have other people seen the same type of "denied" message when confining Firefox and using the default profile? If they have, how did they deal with it? If the rule I used is the way to go, will the devs consider incorporating it in the main profile (/etc/apparmor.d/usr.bin.firefox) so that the profile is more usable out of the box?

Needless to say, with the current profile I checked that I can use Firefox, my extensions (Stylish, DOM Inspector, DownThemAll, SimpleBlock) and plug-ins (Flash and IcedTea) without any problems.
Apparmor makes fair amount of noise in your logs.

It is then up to you to monitor you logs and decide what to do.

The questions to ask yourself is:

1. Is the application working ? Does the application need to access the resource ?

2. Would you prefer your application to have minimal access and make a lot of noise in your logs ?

Or do you prefer to give your application full access to all "normal" activities and log only when there is unexpected behavior ?

So, after answering those questions you can decide.

If your application is broken, you need to fix it.

If the application is working, and you do not mind noise in the logs or you do not wish to monitor your logs, you do not need to do anything.

If your application is working, and you wish to monitory your logs, then yes you will need to evaluate and address this noise. Is it a "false positive" ? If so correct the profile.

Note: It is not a false positive until you have investigated the log and determined that the access that was denied is both normal and acceptable to you.

As you might imagine, only you can decide how you wish to manage apparmor.

Firefox is a poor example as it is a large and complex program, and many people use it for many things, so it requires fairly extensive system access.

Start with a smaller application and work up to firefox.