On 05/20/2017 11:00 AM, Carsten Schoenert wrote: > On Sat, May 20, 2017 at 09:09:21AM -0700, Hong Xu wrote: > >> I switched apparmor to complain mode and it works now. Are you >> suggesting that now the updated apparmor profile should address this issue? > > I'm not that familiar with apparmor but the question is if the current > apprarmor profile or thunderbird is preventing all the needed access. So > you can look into the logs what's the reason why evince isn't called for > example. > > Without a look into the respective logs the profile can't be expanded > correctly. > > Please note also some info about apparmor for Thunderbird written in > the Debian Wiki. > > https://wiki.debian.org/Thunderbird#AppArmor_profile > https://wiki.debian.org/AppArmor/Debug > Now I can't reproduce the issue any more, even after re-enabling apparmor for thunderbird. I have the following log entry
May 25 00:35:58 home kernel: [ 3283.982257] audit: type=1400 audit(1495697758.889:1682): apparmor="ALLOWED" operation="open" profile="thunderbird//null-3" name="/etc/ld.so.cache" pid=10714 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 However, enforcing thunderbird also leads to strange results, which also makes me a bit worried: sudo aa-enforce thunderbird Setting /usr/bin/thunderbird to enforce mode. ERROR: /etc/apparmor.d/usr.bin.thunderbird contains no profile
