<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif"><span style="background-color:rgb(255,255,255)"><br></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span style="background-color:rgb(255,255,255)">Hello <br><br></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span style="background-color:rgb(255,255,255)">A few days ago, I installed 16.04 LTS Release (mostly for making a various tests etc.) This is an old i386 computer, so I decided to use XFCE Desktop Environment. <span id="result_box" class="short_text" lang="en"><span class="">Let's get to the main part of the message. <br><br></span></span>Yesterday, I created a (working) profile for a xfce4-dict, which is a client program to query different dictionaries. The main reason was an online dictionary service, that allows user to search various dictionary things and so on. In other words: xfce4-dict <span id="result_box" class="short_text" lang="en"><span>connects to the internet (see: below logs entries.) <br><br></span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span style="background-color:rgb(255,255,255)"><span id="result_box" class="short_text" lang="en"><span>Anyway, I have a couple of questions related to a spellchecker: enchant. To create a profile, I used aa-genprof(8) utility. After some time, when I used xfce4-dict program in a differents ways (to exercise its functionality) after finishes, I choosed a (S)can option to check logs for entries - standard steps, action. <br><br></span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span style="background-color:rgb(255,255,255)"><span id="result_box" class="short_text" lang="en"><span>My "problems" are with these two files: /usr/bin/enchant and /usr/bin/enchant-lsmod. For me dealing with execute access is complex. "Severity" for both were: unknown. ("Profile" - the same for both, "Execute" - see above paths.) <br><br>However, I have had to proceed with this and choose which execute permission type to grant to these entries. I will show, how it looked (for both): <br><br>(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inish <br><br>I choosed a first option: </span></span><span id="result_box" class="short_text" lang="en"><span>(I)nherit. (Stay in the same security profile - parent's profile.) This mode is useful when a confined program - xfce4-dict - needs to call another confined program (in this case: enchant), right? But enchant is not confined. After this step, aa-genprof(8) generated these rules: <br><br>✓ /usr/bin/enchant rix, <br>✓ /usr/bin/enchant-lsmod rix, <br></span></span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span>✓</span></span> /usr/bin/xfce4-dict mr, <br><br></span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span style="background-color:rgb(255,255,255)"><span id="result_box" class="short_text" lang="en"><span>Everything seems to work OK. (In the mean time it turned out, that there must be added some dbus-related rules.) But aa-status(8) utility shows, that there are two profiles in complain mode while xfce4-dict profile is enforced: <br><br>2 profiles are in complain mode. <br>   /usr/bin/xfce4-dict//null-/usr/bin/enchant <br>   /usr/bin/xfce4-dict//null-/usr/bin/enchant-lsmod </span></span><span id="result_box" class="short_text" lang="en"><span><br><br></span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span style="background-color:rgb(255,255,255)"><span id="result_box" class="short_text" lang="en"><span>So: I would like to ask what should I do in such situation? </span></span><br><span id="result_box" class="short_text" lang="en"><span class="">I was thinking about creating, for example: <br><br></span></span><span id="result_box" class="short_text" lang="en"><span class=""><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span class="">✗</span></span></span></span> Child Profile <br></span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span style="background-color:rgb(255,255,255)"><span id="result_box" class="short_text" lang="en"><span class=""><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span class="">✗</span></span></span></span> use 'Px' or 'PUx' access mode <br></span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span style="background-color:rgb(255,255,255)"><span id="result_box" class="short_text" lang="en"><span class=""><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span class="">✗</span></span></span></span> create a separate profile/s </span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span style="background-color:rgb(255,255,255)"><span id="result_box" class="short_text" lang="en"><span><br>(I did not mention about </span></span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span class="">'Ux'/'ux' - very dangerous, </span></span></span></span>no enforcement of policy etc.)  What do you think about these solutions? Are they OK or there is another way to solve this issue? To make this situation more clear here are some examples of a log entries "created" by enchant program (Note: all actions were "ALLOWED", because of a testing xfce4-dict via aa-genprof(8) utility): <br><br></span></span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span>✓ </span></span></span></span>profile="/usr/bin/xfce4-dict" name="/usr/bin/enchant" pid=3031 comm="xfce4-dict" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/usr/bin/xfce4-dict//null-/usr/bin/enchant" <br></span></span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span>✓ </span></span></span></span></span></span>profile="/usr/bin/xfce4-dict//null-/usr/bin/enchant" name="/etc/ld.so.cache" pid=3031 comm="enchant" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 <br></span></span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span>✓ </span></span></span></span></span></span></span></span>profile="/usr/bin/xfce4-dict//null-/usr/bin/enchant" name="/usr/lib/i386-linux-gnu/libenchant.so.1.6.0" pid=3031 comm="enchant" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 <br></span></span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span>✓ </span></span></span></span></span></span></span></span></span></span>profile="/usr/bin/xfce4-dict//null-/usr/bin/enchant" name="/lib/i386-linux-gnu/<a href="http://libpthread-2.23.so">libpthread-2.23.so</a>" pid=3031 comm="enchant" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 <br></span></span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span>✓ </span></span></span></span></span></span></span></span></span></span></span></span>profile="/usr/bin/xfce4-dict//null-/usr/bin/enchant" name="/etc/locale.alias" pid=3031 comm="enchant" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 <br><br></span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span style="background-color:rgb(255,255,255)"><span id="result_box" class="short_text" lang="en"><span>And so on. Most of a log entries are related to "/{usr/,}lib/@{multiarch}/" folders. Of course there is also "/usr/share/hunspell/*" directory. Above entries can be used, for example, in enchant separate profile. Of course if it is a good solution. <br><br>There is one issue, which amazed me. It seems, that xfce4-dict/enchant wants an access to the cryptographic filesystem. (By the way: "/home" partition is encrypted.) Logs: <br><br></span></span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span>✓ operation="open" profile="/usr/bin/xfce4-dict//null-/usr/bin/enchant" name="/home/.ecryptfs/user4859/.Private/*" comm="enchant" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 <br><br></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span style="background-color:rgb(255,255,255)"><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span>There is a couple of such entry. Because I see no reason why enchant needs an access to this folder, I decided to 'deny' executing "wr" mode. Maybe I'll use an 'audit' keyword. Generally, xfce4-dict is working good even when an access is denied. <br></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span style="background-color:rgb(255,255,255)"><span id="result_box" class="short_text" lang="en"><span><br></span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span style="background-color:rgb(255,255,255)"><span id="result_box" class="short_text" lang="en"><span>The last thing. Because xfce4-dict makes an internet connections, <abstractions/nameservice> rule is needed, right? Is it enough according to such logs entries? <br></span></span><br><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span>✓ operation="file_perm" profile="/usr/bin/xfce4-dict" pid=3024 comm="xfce4-dict" laddr=192.168.10.3 lport=60450 faddr=216.18.x.y fport=2628 family="inet" sock_type="stream" protocol=6 requested_mask="receive" denied_mask="receive" <br></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" lang="en"><span>✓ </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>operation="sendmsg" profile="/usr/bin/xfce4-dict" pid=3024 comm="xfce4-dict" laddr=127.0.0.1 lport=32065 faddr=127.0.1.1 fport=53 family="inet" sock_type="dgram" protocol=17 requested_mask="send" denied_mask="send" <br></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span style="background-color:rgb(255,255,255)"><span id="result_box" class="short_text" lang="en"><span><br>An examples. But there is more entries like these. Oh, by the way: how to treat, read such access mode?<br><br>✓ requested_mask="rac" denied_mask="rac"<br><br>I'm asking, because there is one log entry for: "@{HOME}/.config/enchant/*.dic" file. Summarizing: xfce4-dict put in an enforce mode is working good. P</span></span><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" style="" lang="en"><span class="">rofile is quite short except dbus rules, but it can be fixed by adding an include <abstractions/dbus-*> etc. <br><br></span></span></span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span style="background-color:rgb(255,255,255)"><span id="result_box" class="short_text" lang="en"><span><span id="result_box" class="short_text" style="" lang="en"><span class="">I'm sorry for such a long message. </span></span></span></span><span id="result_box" class="short_text" style="" lang="en"><span class="">I thought it would be shorter. I decided to create a xfce4-dict profile, because of its internet connections. In my opinion, it's a good idea to confine applications, with AppArmor profiles, which make such things. <br></span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span style="background-color:rgb(255,255,255)"><span id="result_box" class="short_text" lang="en"><span><br></span></span></span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><span style="background-color:rgb(255,255,255)"><span id="result_box" class="short_text" lang="en"><span>Thanks for your patience, best regards. <br></span></span></span></div><span style="background-color:rgb(255,255,255)"><span style="color:rgb(255,255,255)">.<br></span></span><div style="font-family:verdana,sans-serif" class="gmail_default"><span style="background-color:rgb(255,255,255)"><span style="color:rgb(255,255,255)">​.</span></span><br></div><br><div class="gmail_default" style="font-family:verdana,sans-serif"><span id="result_box" class="short_text" lang="en"><span><br></span></span></div></div>