[apparmor] Updating the Pidgin profile
Simon Deziel
simon.deziel at gmail.com
Fri Jan 24 16:11:47 UTC 2014
Hi intrigeri,
On 14-01-24 10:58 AM, intrigeri wrote:
> Hi,
>
> Simon Deziel wrote (22 Jan 2014 14:43:36 GMT) :
>> Sorry for the delayed response.
>
> 100% fine with me :)
>
>> On 14-01-19 09:25 AM, intrigeri wrote:
> [...]
>>>>>> owner @{HOME}/.{cache,config}/dconf/user rw,
>>>>>
>>>>> What is the "cache" part for?
>>>
>>> I believe you have missed this question. Or maybe your following
>>> answer (about .config/indicators) did cover this one too?
>
>> It was in the initial profile from 11.04 but looking at [1] they seem
>> legitimate. Both are used as shown in this audit extract:
>> [...]
>
> OK, so I now have:
>
> #include <abstractions/dconf>
> [...]
> owner @{HOME}/.cache/dconf/user rw,
>
> By the way, since my GDM works fine with logind, I also need:
>
> owner /{,var/}run/user/*/dconf/user rwk,
This all makes sense for a recent release. On Precise, the
abstractions/dconf is not available though.
>>>>>> /usr/bin/gconftool-2 rix,
>>>>>> /usr/bin/gnome-default-applications-properties ix,
>>>>>> /usr/bin/gnome-network-preferences ix,
>>>>>
>>>>> I'm adding P, in case a profile is written for one of those some day.
>>>
>>>> P and i are incompatible as far as I understand.
>>>
>>> The documentation about it is very confusing, but Pix is valid.
>
>> Indeed, "Pix" is valid and I added it to g-d-a-p and g-n-p.
>
> I can't see it on
> https://github.com/simondeziel/aa-profiles/blob/master/12.04/usr.bin.pidgin.
> Did you push elsewhere?
Fixed now.
>>>>>> /usr/share/locale-langpack/** rm,
>>>>>
>>>>> Isn't the "r" permission granted by abstraction/base enough? I'm not
>>>>> running Ubuntu, so I'm not using langpack's and cannot test myself.
>>>
>>> Ping?
>
>> This locale-langpack rule is gone from my profile and no problem to
>> report since that.
>
> Thanks for testing!
>
>>> I think I'm going to complete a profile that requires running GNOME
>>> control center and network configuration by hand, to start with, then.
>>> Done in the attached profile.
>
>> That makes sense. I'd probably add a comment in the profile that this is
>> on purpose. This should prevent users from disabling the profile that
>> "gets in their way" and use the manual way instead.
>
> Great idea, done.
>
> I'd like someone else than me to test my current profile (attached),
> before I ask for inclusion again. Simon, do you want to test it?
I'm not yet ready to move to Trusty/14.04 yet so I cannot test with
fresh packages. If/when I do, I'll post feedback.
Thanks for your great work on this!
Simon
More information about the AppArmor
mailing list