can you look in dmesg or kern.log for the actual apparmor denial?
> I have absolutely no idea what "ixr"
allow r (read) permission
allow ix == on eXecute inherit the current profile
an exec permission can specify different options that should be taken, inherit the current profile, transition to specific profile, transition based on the exec profile name, ...
> /usr/bin/firefox ixr, -> error about "option" x being in conflict
there is another exec rule that matches and it species that something else should be done. Hence they conflict.
> /usr/bin/firefox r, -> does not work
> /usr/bin/sh r, -> seems very dangerous & does not work
can you look in dmesg or kern.log for the actual apparmor denial?
> I have absolutely no idea what "ixr"
allow r (read) permission
allow ix == on eXecute inherit the current profile
an exec permission can specify different options that should be taken, inherit the current profile, transition to specific profile, transition based on the exec profile name, ...
> /usr/bin/firefox ixr, -> error about "option" x being in conflict
there is another exec rule that matches and it species that something else should be done. Hence they conflict.
> /usr/bin/firefox r, -> does not work
> /usr/bin/sh r, -> seems very dangerous & does not work