On Wed, Jul 12, 2017 at 10:32:35AM +0000, Grand T wrote:
> Anyway there is issue with Thunderbird apparmor profile
>
>
> root@debian:/# cp /etc/apparmor.d/usr.bin.thunderbird /etc/apparmor.d/local
Why you *copy* the existing profile into the user dedicated folder? That
make no sense at all.
By this the same profile will be loaded within the already included
profile. This brings some nested incusion like seen further down.
> root@debian:/# aa-disable usr.bin.thunderbird
>
> ERROR: local/usr.bin.thunderbird profile in local/usr.bin.thunderbird
> contains syntax errors in line 202: a child profile inside another child
> profile is not allowed.
Well, the gpg profile part is allready loaded by the the profile in
/etc/apparmor-d/ and is again loading than by the including of the whole
folder /etc/apparmor-d/local.
> Here is the section involved
>
>
> # TB tries to create this file but has no business doing so
> deny @{HOME}/.gnupg/gpg-agent.conf w,
>
> profile gpg {
> #include <abstractions/base>
>
> # Required to import keys from keyservers
> #include <abstractions/nameservice>
> #include <abstractions/p11-kit>
>
>
> So once again i do it mannually
>
>
> root@debian:/etc/apparmor.d# cp usr.bin.thunderbird disable
> root@debian:/etc/apparmor.d# systemctl reload apparmor.service
>
>
> Jul 12 12:18:08 debian apparmor[1767]: Reloading AppArmor profiles:Skipping
> profile in /etc/apparmor.d/disable: usr.bin.thunderbird
>
>
> And now no more trouble with that bad profile :=))
Remove the copied profile from /etc/apparmor-d/local and I supect were
are no more issues.
The question is if the shipped profile is causing issues or not,
problems by users profiles is something we can't be responsible for. So
how is Thunderbird or apparmor acting with the profile from the
thunderbird package only.
Regards
Carsten
