Hello Seth Thank You for an answers. I understood many things, thanks to You. I appreciate it, really.
First thing; if it's about 'xdg-screensaver' issues etc.; You've written, that if I "don't trust data being supplied to Parole" then I should, probably, prefer/use the 'Px' rule instead of 'PUx', right? But after this change and use apparmor_parser(8) utility to load a "new" profile, log files contains; audit: type=1400 audit(1496230982.227:68): apparmor="DENIED" operation="exec" info="profile transition not found" error=-13 profile="/usr/bin/parole" name="/usr/bin/xdg-screensaver" pid=3304 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/usr/bin/xdg-screensaver" Returning to the "PUx" rule, seems to help - there is no DENIED entry etc. (NOTE: With "Px" rule, Parole works OK - just this log entry.) So, what should I do in this situation? I'm trusting data supplied to Parole. I hope so... :- ) And answering to your question; I did not notice, that Parole is downloading anything from the web; nor song lyrics, nor album art etc. If it's about abstractions; I will add <abstractions/gnome> and an 'audio', of course. I have a comment made in Parole profile, which is saying: "use an audio abstraction seems to be a better solution". But I just wanted to be 100 % sure and so on. >> dbus send >> bus=accessibility >> path=/org/freedesktop/hostname1 >> interface=org.freedesktop.DBus.Properties >> member=GetAll, Thanks for noticing me a mistake with bus="system", when my rule specified bus="accessbility". Fixed. Also, documentation was very helpful. Now "orcexec.*" files; I decided to change rules and add 'deny' instead 'owner'. After reloading profile, Parole seems to work normally and there is not any DENIED entries in a log files. I did the same thing with a PulseAudio profile, because there are similar rules. No problems so far. I will do the same in a every profile with these rules and keep an eye on this issue. I have asked about "aqueue:src", right? It was in a log entry related to the "orcexec.*" files: audit: type=1400 audit(1495963224.908:82): apparmor="DENIED" operation="mknod" profile="/usr/bin/parole" name="/run/user/1000/orcexec.IveM1L" pid=3649 comm="aqueue:src" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 Can You write something more about this, now? I'm asking, because You've mentioned rootkits etc. Should I made some changes in profile e.g. with rules etc.? (You've written: "So be sure to use the /run/user/..." Is it enough? Just change "/{,var/}run/user/" to the "/run/user/..."? Geez, what a naive question. Sorry.) >> Because you haven't submitted the profile yet :) Parole seems to work OK, even when a profile is in an "enforce" mode. I will do some more tests to exclude errors etc. Should I paste that Parole profile somewhere? Does it make any sense? Maybe this profile is not so bad and can be added to the AppArmor profiles? :- ) Thanks, best regards.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor