Hello Seth
Thank You for an answers. I understood many things, thanks to You. I
appreciate it, really.
First thing; if it's about 'xdg-screensaver' issues etc.; You've written,
that if I "don't trust data being supplied to Parole" then I should,
probably, prefer/use the 'Px' rule instead of 'PUx', right? But after this
change and use apparmor_parser(8) utility to load a "new" profile, log
files contains;
audit: type=1400 audit(1496230982.227:68): apparmor="DENIED"
operation="exec" info="profile transition not found" error=-13
profile="/usr/bin/parole" name="/usr/bin/xdg-screensaver" pid=3304
comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
target="/usr/bin/xdg-screensaver"
Returning to the "PUx" rule, seems to help - there is no DENIED entry etc.
(NOTE: With "Px" rule, Parole works OK - just this log entry.) So, what
should I do in this situation? I'm trusting data supplied to Parole. I hope
so... :- ) And answering to your question; I did not notice, that Parole is
downloading anything from the web; nor song lyrics, nor album art etc.
If it's about abstractions; I will add <abstractions/gnome> and an 'audio',
of course. I have a comment made in Parole profile, which is saying: "use
an audio abstraction seems to be a better solution". But I just wanted to
be 100 % sure and so on.
>> dbus send
>> bus=accessibility
>> path=/org/freedesktop/hostname1
>> interface=org.freedesktop.DBus.Properties
>> member=GetAll,
Thanks for noticing me a mistake with bus="system", when my rule specified
bus="accessbility". Fixed. Also, documentation was very helpful.
Now "orcexec.*" files; I decided to change rules and add 'deny' instead
'owner'. After reloading profile, Parole seems to work normally and there
is not any DENIED entries in a log files. I did the same thing with a
PulseAudio profile, because there are similar rules. No problems so far. I
will do the same in a every profile with these rules and keep an eye on
this issue.
I have asked about "aqueue:src", right? It was in a log entry related to
the "orcexec.*" files:
audit: type=1400 audit(1495963224.908:82): apparmor="DENIED"
operation="mknod" profile="/usr/bin/parole"
name="/run/user/1000/orcexec.IveM1L" pid=3649 comm="aqueue:src"
requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Can You write something more about this, now? I'm asking, because You've
mentioned rootkits etc. Should I made some changes in profile e.g. with
rules etc.? (You've written: "So be sure to use the /run/user/..." Is it
enough? Just change "/{,var/}run/user/" to the "/run/user/..."? Geez, what
a naive question. Sorry.)
>> Because you haven't submitted the profile yet :)
Parole seems to work OK, even when a profile is in an "enforce" mode. I
will do some more tests to exclude errors etc. Should I paste that Parole
profile somewhere? Does it make any sense?
Maybe this profile is not so bad and can be added to the AppArmor profiles?
:- )
Thanks, best regards.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
