Re: Apparmor: 1 processes are unconfined but have a profile defined
Hi.
I accept on-list communication only.
On Fri, Jul 13, 2018 at 11:09:19PM +0300, Ge wrote:
> Hi i couldn't figure out so i delete all Firefox profiles and i started
> again from the beginning
If you just deleted the files from /etc/apparmor.d - that won't be
enough as old profiles are still loaded into the running kernel.
See if it sticks after the reboot.
But,
> My Firefox profile now seems to work.
>
> sudo cat ./usr.lib.firefox-esr.firefox-esr
If your Apparmor profile is not world-readable then you're doing it
wrong (i.e. sudo should not be needed for this).
> [sudo] password for gssd:
> # Last Modified: Fri Jul 13 19:58:57 2018
> #include <tunables/global>
>
> /usr/lib/firefox-esr/firefox-esr {
That line's crucial. Enabling and disabling should be done via
aa-enforce/aa-complain /usr/lib/firefox-esr/firefox-esr.
> "/home/gssd/.mozilla/firefox/Crash Reports/*" r,
This one and everything like it are better written as:
owner "@{HOME}/.mozilla/firefox/Crash Reports/*" r
And I wonder whenever disabling writing crash reports was intentional.
> /home/*/.mozilla/firefox/72z9u2as.default/browser-extension-data/** rw,
This one:
owner @{HOME}/.mozilla/firefox/*/browser-extension-data/** rw,
Everything else is more or less ok.
Reco
Reply to: