I also stumbled on this and tried the aa-notify way mentioned in comment 6, but that didn't work for me. I get the notification prompt on allowing access to the key stored under my home directory, but by the time I click on "Allow" openvpn already failed and gave up trying. The "allow" setting (i.e. the profile extension) doesn't seem to be permanent, so when I try again to connect to the VPN I hit the same failure, and I get the same aa-notify prompt again.
Also: looks like aa-notify needs the desktop-security-center snap to be installed in order to show the prompt. This was not clear to me when I first tried. In the end I manually extended the profile, following the suggestion in comment 3 (thanks!). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2098930 Title: openvpn profile doesn't allow access to files on home dir Status in apparmor package in Ubuntu: Confirmed Status in gnome-control-center package in Ubuntu: Confirmed Bug description: my VPN keys & certs are stored in my HOME directory. The current apparmor update broke that. When I try to activate my VPN through NetworkManager, the journal says: Feb 20 07:48:57 paprika NetworkManager[3405]: <info> [1740034137.4372] vpn[0x58db282782d0,132c9eee-2134-4f7a-8326-58bde38036de,"canonical-uk"]: starting openvpn [snipped] Feb 20 07:48:57 paprika nm-openvpn[10793]: Cannot pre-load keyfile (/home/tom/Documents/vpn/ta.key) Feb 20 07:48:57 paprika nm-openvpn[10793]: Exiting due to fatal error [snipped] Feb 20 07:48:57 paprika kernel: audit: type=1400 audit(1740034137.454:789): apparmor="DENIED" operation="open" class="file" profile="openvpn" name="/home/tom/Documents/vpn/ta.key" pid=10793 comm="openvpn" requested_mask="r" denied_ma> So openvpn can no longer access /home/tom/Documents/canonical/vpn/canonical_ta.key . ProblemType: Bug DistroRelease: Ubuntu 25.04 Package: apparmor 4.1.0~beta5-0ubuntu2 ProcVersionSignature: Ubuntu 6.12.0-15.15-generic 6.12.11 Uname: Linux 6.12.0-15-generic x86_64 NonfreeKernelModules: zfs ApportVersion: 2.31.0-0ubuntu5 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Thu Feb 20 08:57:57 2025 InstallationDate: Installed on 2024-07-18 (217 days ago) InstallationMedia: Ubuntu 24.04 LTS "Noble Numbat" - Release amd64 (20240424) ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/usr/bin/zsh TERM=xterm-256color XDG_RUNTIME_DIR=<set> ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-6.12.0-15-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro quiet splash vt.handoff=7 SourcePackage: apparmor UpgradeStatus: Upgraded to plucky on 2024-12-20 (62 days ago) modified.conffile..etc.apparmor.d.element-desktop: [modified] mtime.conffile..etc.apparmor.d.element-desktop: 2025-02-11T18:32:02.077059 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2098930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
