Control: tag -1 + moreinfo
Hi!
Elia Argentieri:
> This is what I get with `sudo tail /var/log/audit/audit.log -f | grep DENIED`
> when I open any video:
Thank you for reporting this. I cannot reproduce this locally: Totem
works just fine with this AppArmor policy on my up-to-date sid system.
Disclaimer: I've only tried on GNOME + Wayland.
So let's try to identify what's the blocker(s) is/are on your system.
> type=AVC msg=audit(1499516756.417:5744): apparmor="DENIED" operation="open"
> profile="/usr/bin/totem" name="/home/elia/.cache/mesa/index" pid=4881
> comm="totem" requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000
In case it matters: are you using X.Org or Wayland? If using X.Org,
_if you're curious_ it would be interesting if you could retry on
GNOME + Wayland, but that's not really needed.
Anyway, please try adding this line to
/etc/apparmor.d/local/usr.bin.totem:
owner @{HOME}/.cache/mesa/index rwk,
… and reload the /etc/apparmor.d/usr.bin.totem profile then retry.
> type=AVC msg=audit(1499516756.529:5745): apparmor="DENIED" operation="open"
> profile="/usr/bin/totem"
> name="/var/lib/flatpak/exports/share/icons/hicolor/index.theme" pid=4881
> comm="totem" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
We don't support Flatpak stuff yet, so that *might* be the reason.
It's being discussed on the upstream AppArmor mailing list though.
Did you install using Flatpak anything (even vaguely) related to Totem
or GNOME?
Anyway, please try adding this line to
/etc/apparmor.d/local/usr.bin.totem:
/var/lib/flatpak/exports/share/icons/** r,
… and reload the /etc/apparmor.d/usr.bin.totem profile then retry.
Please do these experiments separately, so we can identify if each
of these problems is a blocker, or not.
Thanks!
