Ok, I was able to reproduce this with the icedtea plugin:
1. profile is enabled
$ md5sum /etc/apparmor.d/usr.bin.firefox-3.5
97d80b2693f5e7d9141a4275b91bd883 /etc/apparmor.d/usr.bin.firefox-3.5
2. sudo aa-status
apparmor module is loaded.
14 profiles are loaded.
14 profiles are in enforce mode.
...
/usr/lib/firefox-3.5.*/firefox
...
4 processes are in enforce mode :
/usr/lib/firefox-3.5.*/firefox (5638)
...
3. $ dpkg -l | egrep '(iced|java)'
...
ii icedtea-6-jre-cacao 6b16-1.6.1-3ubuntu1 Alternative JVM for OpenJDK, using Cacao
ii icedtea6-plugin 6b16-1.6.1-3ubuntu1 web browser plugin based on OpenJDK and Iced
ii java-common 0.30ubuntu5 Base of all Java packages
...
4. There are no denied messages in kern.log/audit.log
$HOME/.xsession-errors shows various errors, but they don't seem directly related to this bug. What is most interesting is that while the profile doesn't show any denials, java nonetheless does not work.
Ok, I was able to reproduce this with the icedtea plugin: d/usr.bin. firefox- 3.5 9141a4275b91bd8 83 /etc/apparmor. d/usr.bin. firefox- 3.5
1. profile is enabled
$ md5sum /etc/apparmor.
97d80b2693f5e7d
2. sudo aa-status lib/firefox- 3.5.*/firefox lib/firefox- 3.5.*/firefox (5638)
apparmor module is loaded.
14 profiles are loaded.
14 profiles are in enforce mode.
...
/usr/
...
4 processes are in enforce mode :
/usr/
...
3. $ dpkg -l | egrep '(iced|java)'
...
ii icedtea-6-jre-cacao 6b16-1.6.1-3ubuntu1 Alternative JVM for OpenJDK, using Cacao
ii icedtea6-plugin 6b16-1.6.1-3ubuntu1 web browser plugin based on OpenJDK and Iced
ii java-common 0.30ubuntu5 Base of all Java packages
...
4. There are no denied messages in kern.log/audit.log
5. Steps to reproduce: Plugins and enable the IcedTea plugin www.gnu. org/software/ classpath/ (though http:// java.com/ en/download/ help/testvm. xml should lockup firefox too)
a. start firefox with: firefox -safe-mode
b. disable all addons
c. go to 'about:plugins' no plugins should be displayed
d. go to Tools/Addons/
e. close firefox
f. start firefox, then go to 'about:plugins' to verify that icedtea is enabled
g. navigate to http://
6. $ lsb_release -a ; uname -m
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 9.10
Release: 9.10
Codename: karmic
i686
WORKAROUND (ie, disable the firefox profile): d/usr.bin. firefox- 3.5 d/disable/ usr.bin. firefox- 3.5
$ sudo apparmor_parser -R /etc/apparmor.
$ sudo touch /etc/apparmor.
$HOME/. xsession- errors shows various errors, but they don't seem directly related to this bug. What is most interesting is that while the profile doesn't show any denials, java nonetheless does not work.