Hi again, On Thu, Jan 18, 2018 at 02:05:02PM +0100, Rene Engelhard wrote: > X stuff....
diff --git a/sysui/desktop/apparmor/program.oosplash b/sysui/desktop/apparmor/program.oosplash index fef54b7ee384..d68fa776de8f 100644 --- a/sysui/desktop/apparmor/program.oosplash +++ b/sysui/desktop/apparmor/program.oosplash @@ -14,6 +14,7 @@ profile libreoffice-oopslash INSTDIR-program/oosplash { #include <abstractions/base> + #include <abstractions/X> /etc/libreoffice/ r, /etc/libreoffice/** r, might do at least parts of it. (Xauthority for example.) > > Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" > > operation="open" profile="libreoffice-soffice" > > name="/home/gueux/.mozilla/firefox/profiles.ini" pid=21105 > > comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 > > Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" > > operation="open" profile="libreoffice-soffice" > > name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/secmod.db" > > pid=21105 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 > > ouid=1000 > > Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" > > operation="open" profile="libreoffice-soffice" > > name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/cert8.db" > > pid=21105 comm="soffice.bin" requested_mask="wr" denied_mask="wr" > > fsuid=1000 ouid=1000 > > Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" > > operation="open" profile="libreoffice-soffice" > > name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/key3.db" > > pid=21105 comm="soffice.bin" requested_mask="wr" denied_mask="wr" > > fsuid=1000 ouid=1000 > > Here it gets interesting. That's for digital signing with X.509. The > certificates are supposed to come from mozilla... > > > Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" > > operation="exec" profile="libreoffice-soffice" name="/usr/bin/gpg" > > pid=21125 comm="soffice.bin" requested_mask="x" denied_mask="x" fsuid=1000 > > ouid=0 target="libreoffice-soffice//null-/usr/bin/gpg" [...] diff --git a/sysui/desktop/apparmor/program.soffice.bin b/sysui/desktop/apparmor/program.soffice.bin index ff2c4b08cd4b..efa801445e6b 100644 --- a/sysui/desktop/apparmor/program.soffice.bin +++ b/sysui/desktop/apparmor/program.soffice.bin @@ -114,6 +114,8 @@ profile libreoffice-soffice INSTDIR-program/soffice.bin { /usr/bin/lpr rmPUx, /usr/bin/paperconf rmix, /usr/bin/gpgconf rmix, + /usr/bin/gpg rmix, + /usr/bin/gpgsm rmix, /dev/tty rw, is trivial, though I still wonder about > > Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" > > operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" > > name="/usr/lib/x86_64-linux-gnu/ld-2.26.so" pid=21125 comm="gpg" > > requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0 stuff like this and the following (libc, locale.alias, etc.)... Regards, Rene