tunables/share has this declaration [0]:
```
@{user_share_dirs} = @{HOME}/.local/{,share/@{flatpak_exports_root}}/share
```
`@{user_share_dirs}` itself is used in `abstractions/freedesktop.org` [1]:
```
owner @{user_share_dirs}/mime/{**,} r,
```
Nevertheless, recently I've started getting denies related to mime-related files in my home, from Thunderbird, Firefox, and more:
```
type=AVC msg=audit(1549821514.141:9496): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/vincas/.local/share/mime/mime.cache" pid=3084 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
```
```
type=AVC msg=audit(1549821514.141:9502): apparmor="DENIED" operation="open" profile="thunderbird" name="/home/vincas/.local/share/mime/generic-icons" pid=3084 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
```
Denies disappear if I change `@{user_share_dirs}` declaration into two separate declarations likes this:
```
@{user_share_dirs} = @{HOME}/.local/share
@{user_share_dirs} += @{HOME}/.local/share/@{flatpak_exports_root}/share
```
Or, into simpler one-liner with two paths (thanks to Christian Boltz):
```
@{user_share_dirs} = @{HOME}/.local/share @{HOME}/.local/share/@{flatpak_exports_root}/share
```
This is what `apparmor_parser -d` outputs for related mime rule:
```
Mode: r: Name: ({/home//*//.local/{,share/{flatpak/exports,flatpak/{app,runtime}/*/*/*/*/export}}/share,/root//.local/{,share/{flatpak/exports,flatpak/{app,runtime}/*/*/*/*/export}}/share}/mime/{**,})
```
There are two related Debian bug reports:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920833
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921888
[0] https://gitlab.com/apparmor/apparmor/blob/5e5b02b7227bf2ee4d25f2d945c07317af0637ec/profiles/apparmor.d/tunables/share#L15
[1] https://gitlab.com/apparmor/apparmor/blob/5e5b02b7227bf2ee4d25f2d945c07317af0637ec/profiles/apparmor.d/abstractions/freedesktop.org#L28
I am proposing this workaround, motivated by upcoming Debian Buster full freeze: /gitlab. com/apparmor/ apparmor/ merge_requests/ 340
https:/