Ubuntu
apparmor package

  1. Bug #626451
  2. Comment #5

Comment 5 for bug 626451

Revision history for this message
Simon Déziel (sdeziel) wrote :

@Jamie

I just noticed several lines like those below in /var/log/kern.log :

Sep 27 15:13:33 simon-laptop kernel: [25083.645117] type=1400 audit(1285614813.028:89): apparmor="DENIED" operation="exec" parent=16043 profile="/usr/lib/firefox-3.6.10/firefox-*bin" name="/usr/bin/lsb_release" pid=16044 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Sep 27 15:13:33 simon-laptop kernel: [25083.646496] type=1400 audit(1285614813.028:90): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-3.6.10/firefox-*bin" name="/proc/16009/net/route" pid=16009 comm="GoogleTalkPlugi" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

This only occurs when actually dialing so I was wrong to say that it worked in comment #4. Please note that even with those warnings it is possible to use the Google Talk plugin.

Here is the profile configuration I came up with that works well and generates no AA log :

  /opt/google/talkplugin/*.so mr,
  /opt/google/talkplugin/lib/*.so mr,
  /opt/google/talkplugin/GoogleTalkPlugin ixr,
  /usr/bin/lsb_release Ux,
  @{PROC}/[0-9]*/net/route r,

I have also tried "ix" flags for lsb_release but it generated those errors :

Sep 27 16:17:34 simon-laptop kernel: [28925.071870] type=1400 audit(1285618654.458:123): apparmor="DENIED" operation="open" parent=18417 profile="/usr/lib/firefox-3.6.10/firefox-*bin" name="/etc/python2.6/sitecustomize.py" pid=18418 comm="lsb_release" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 27 16:17:34 simon-laptop kernel: [28925.086222] type=1400 audit(1285618654.468:124): apparmor="DENIED" operation="open" parent=18417 profile="/usr/lib/firefox-3.6.10/firefox-*bin" name="/etc/lsb-release" pid=18418 comm="lsb_release" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 27 16:17:34 simon-laptop kernel: [28925.086782] type=1400 audit(1285618654.468:125): apparmor="DENIED" operation="open" parent=18417 profile="/usr/lib/firefox-3.6.10/firefox-*bin" name="/etc/debian_version" pid=18418 comm="lsb_release" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 27 16:17:34 simon-laptop kernel: [28925.088605] type=1400 audit(1285618654.468:126): apparmor="DENIED" operation="exec" parent=18419 profile="/usr/lib/firefox-3.6.10/firefox-*bin" name="/usr/bin/apt-cache" pid=18420 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

IMO, it's better to run lsb_release unconfined.