[apparmor] [profile] lightdm-guest-session: "DENIED"; "mount" and "open" operation, gvfs-fuse-daemo and "/proc/*/net/arp" issue.
Seth Arnold
seth.arnold at canonical.com
Thu Feb 9 20:16:12 UTC 2017
On Thu, Feb 09, 2017 at 05:44:53PM +0100, daniel curtis wrote:
> audit(1486652418.489:50): apparmor="DENIED" operation="mount" parent=1
> profile="/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper"
> name="/tmp/guest-jETKy5/.gvfs/" pid=3025 comm="gvfs-fuse-daemo"
> fstype="fuse.gvfs-fuse-daemon" srcname="gvfs-fuse-daemon" flags="rw,
> nosuid, nodev"
Hi Daniel,
I recommend leaving these alone.
The whole point of the guest mode profile is to drastically reduce the
abilities of the processes that the user can spawn. We don't want the
user doing anything that is persistent. The session isn't intended to
be used for weeks or months at a time, so the Firefox locations tool
doesn't need to be perfect. The usual use will be for an hour or two
and probably whoever is using it won't make drastic network changes often.
You can add 'deny' rules for these if you want to silence your logs. I'm
very lazy so I'd leave it alone. :)
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170209/94f1486b/attachment.pgp>
More information about the AppArmor
mailing list