Comment 16 for bug 1381713

We're in the process of trying to land these changes for thumbnailer, and have been noticing problems with the music-app: we are getting denials from aa_query_label for files under ~/Music. For example:

    $ ./query_file com.ubuntu.music_music_2.1.867 /home/phablet/Music/10-amarillo.mp3
    read '/home/phablet/Music/10-amarillo.mp3' denied

However, the profile seems to be able to read files in that location anyway:

    $ aa-exec -p com.ubuntu.music_music_2.1.867 cat /home/phablet/Music/10-amarillo.mp3 >/dev/null

It seems the aa_query_label checks are working for ~/.local/share/$PACKAGE directories though, so it is working at some level:

    $ ./query_file com.ubuntu.music_music_2.1.867 /home/phablet/.local/share/com.ubuntu.music/foo
    read '/home/phablet/.local/share/com.ubuntu.music/foo' allowed
    $ ./query_file com.ubuntu.music_music_2.1.867 /home/phablet/.local/share/com.ubuntu.gallery/foo
    read '/home/phablet/.local/share/com.ubuntu.gallery/foo' denied

Is there something special about the way ~/Music access is enabled in the policy? I've been trying this out with devel-proposed (wily) image 233 on a Nexus 4 if that matters.