Comment 2 for bug 359338

The issue here is that apparmor is being asked whether to grant permission to both the encrypted and unencrypted filenames; you can see this if you use the following profile in jamie's test case above:

#include <tunables/global>

/tmp/359338.sh {
  #include <abstractions/base>

  /bin/dash rix,
  /bin/touch rix,
  /tmp/359338.sh r,

  audit owner @{HOME}/test.txt rw,
  audit owner @{HOME}/.Private/** rw,
}

This will result in the following showing up in the apparmor log when user foo runs the script:

[ 6753.287224] type=1501 audit(1239653800.125:47): operation="inode_create" requested_mask="a::" fsuid=1001 name="/home/foo/test.txt" pid=5441 profile="/tmp/359338.sh"
[ 6753.287235] type=1501 audit(1239653800.125:48): operation="inode_create" requested_mask="a::" fsuid=1001 name="/home/foo/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWa-v7eV.gt-MkSIm4CZSyHipWO07nM63KqvRgbGYvdyUIvp87gd.GYus---" pid=5441 profile="/tmp/359338.sh"
[ 6753.287843] type=1501 audit(1239653800.125:49): operation="setattr" requested_mask="w::" fsuid=1001 attribute="atime,mtime,ctime," name="/home/foo/test.txt" pid=5441 profile="/tmp/359338.sh"
[ 6753.287853] type=1501 audit(1239653800.125:50): operation="setattr" requested_mask="w::" fsuid=1001 attribute="atime,mtime,ctime," name="/home/foo/test.txt" pid=5441 profile="/tmp/359338.sh"
[ 6753.287862] type=1501 audit(1239653800.125:51): operation="setattr" requested_mask="w::" fsuid=1001 attribute="atime,mtime,ctime," name="/home/foo/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWa-v7eV.gt-MkSIm4CZSyHipWO07nM63KqvRgbGYvdyUIvp87gd.GYus---" pid=5441 profile="/tmp/359338.sh"
[ 6753.287873] type=1501 audit(1239653800.125:52): operation="setattr" requested_mask="w::" fsuid=1001 attribute="atime,mtime,ctime," name="/home/foo/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWa-v7eV.gt-MkSIm4CZSyHipWO07nM63KqvRgbGYvdyUIvp87gd.GYus---" pid=5441 profile="/tmp/359338.sh"

which is a pretty atrocious workaround, but I doubt anything better can be done before jaunty is released.