Comment 33 for bug 987578

can you look in dmesg or kern.log for the actual apparmor denial?

> I have absolutely no idea what "ixr"

allow r (read) permission
allow ix == on eXecute inherit the current profile

an exec permission can specify different options that should be taken, inherit the current profile, transition to specific profile, transition based on the exec profile name, ...

> /usr/bin/firefox ixr, -> error about "option" x being in conflict

there is another exec rule that matches and it species that something else should be done. Hence they conflict.

> /usr/bin/firefox r, -> does not work
> /usr/bin/sh r, -> seems very dangerous & does not work