Apparmor prevents icedtea-7-plugin from creating necessary files

Status changed to 'Confirmed' because the bug affects multiple users.

Fix committed in r2741 trunk.

I tried doing the patch manually on my system, and it seemed that the proposed fix wasn't enough.
As suggested, I added these lines below line 14 :
  owner /{,var/}run/user/*/icedteaplugin-*/ rw,
  owner /{,var/}run/user/*/icedteaplugin-*/** rwk,

Yet that was not enough; the plugin still failed to run and I had the same complaints in kern.log.
However, adding the following line just under these two lines got it to work on my side.
  owner /usr/lib/firefox/firefox*/**browser_openjdk rx,

In addition to the comment above, here are the two most important lines taken from kern.log, which are the first and third lines output after trying to start a Java applet in my browser (Firefox 33). The other lines are all very similar.

Oct 15 15:57:45 fred-laptop kernel: [ 387.693155] type=1400 audit(1413403065.724:138): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-fred-im6jmr/3223-icedteanp-plugin-debug-to-appletviewer" pid=3269 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[…]
Oct 15 15:57:45 fred-laptop kernel: [ 387.726502] type=1400 audit(1413403065.756:140): apparmor="DENIED" operation="exec" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/usr/bin/logger" pid=3271 comm="java" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
[…]

Frédéric, note that the 'owner' keyword means that the user running the program must also own the file; with most files in /usr/ being owned by root, this addition would only work if you're running Firefox as root.

I'm still stuck... (see http://askubuntu.com/questions/586611/icedtea-plugin-freezes-firefox-35-0-1-probable-apparmor-problem)
Did the fix land into 14.10 ?

Franck, you may wish to file a new bug as this one is marked 'Fix released'. Be sure to include DENIED lines from your kernel logs or audit logs.

Thanks

So the particular denials from the kernel log for this bug would require adding

   /run/user/1000/icedteaplugin-pseudo-*/ w,

to the /usr/lib/firefox/firefox{,*[^s][^h]} profile

However from the ask ubuntu question there is a larger problem

1st: You can manually put the sub profiles into complain mode by adding flags=(complain) to the profiles
eg.
  /usr/lib/firefox/firefox{,*[^s][^h]}//browser_java flags=(complain) {
     ...
  }

I took a pass through the DENIED messages in the ask ubuntu question and a first pass at the rules to add to /usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk follows. Please note there may be more denied messages after these are added. Also you should check /var/log/syslog for denied messages because ubuntu has turned on extended dbus mediation and its denials do not go to the kernel ring buffer. Also this profile should be reloaded to make sure the new rules are added.

   /usr/bin/logger Pix, # choose transition that makes sense for your profiles

   /proc/sys/net/ipv4/ip_local_port_range r,
   /proc/@{pid}/cmdline r,

   owner @{HOME}/.mozilla/firefox/profiles.ini r,
   owner /run/user/1000/dconf/user rw,
   owner /run/user/1000/icedteaplugin-franck-OzMRPQ/4468-icedteanp-plugin-to-appletviewer r,

   unix peer=(addr=@/tmp/dbus-* label=unconfined),