[apparmor] [profile] xfce4-dict: complain mode: /usr/bin/enchant, /usr/bin/enchant-lsmod and access to Specific Resources.

daniel curtis sidetripping at gmail.com
Thu Aug 31 11:28:13 UTC 2017 

Hello Seth

>> The ..//null-.. profiles are created by the kernel when a process
>> in a complain-mode profile executes another program.

OK, I understand this, but the main xfce4-dict program was Enforced. The
"//null-" profiles were showed in aa-status(8) command result. (It
concerned the mentioned /usr/bin/enchant-lsmod and /usr/bin/enchant; see
first message etc.)

As I already mentioned, everything has changed after convert "rix" to
"mrix" mode for these two enchant's files. According to all of this, I
would like to ask if it is okay? (I mean access mode change.)​ Can I use
these rules?

/usr/bin/enchant mrix,
/usr/bin/enchant-lsmod mrix,

With "mrix" mode access, xfce4-dict is working as it should and there are
no one "DENIED" entries in a log files etc. So?

There is one more thing - an ".ecryptfs" folder. During profile creating
and after, It turned out that the dictionary needs an access to
"/home/.ecryptfs/" folder. Because, I see no reason for why xfce4-dict
should have such access, I decided to deny/forbid this operation. And
everything works normally - no "DENIED" entries in a log files, no problems
with xfce4-dict etc.

Have I made a good decision? What is your opinion, what really should I do
in this case?

By the way - which mode access should be used in AppArmor profile for
requested_mask="rac" denied_mask="rac"? I'm asking, because there is a
couple of entries, such as:

✓ apparmor="ALLOWED" operation="open"
profile="/usr/bin/xfce4-dict//null-/usr/bin/enchant"
name="/home/user4859/.config/enchant/en_EN.dic" pid=3027 comm="enchant"
requested_mask="rac" denied_mask="rac" fsuid=1000 ouid=1000

It is an exception from a log entry, created at the beginning.
I was thinking about applying, for example, "rw" mode. Honestly, I don't
know, but for now I use "rw" in xfce4-dict profile. I'm not pretty sure.

Once again: what is your opinion? What should I do and which mode access
should be used?

Thanks, best regards.
.
.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170831/71c55475/attachment-0001.html>

More information about the AppArmor mailing list