So the particular denials from the kernel log for this bug would require
adding
/run/user/1000/icedteaplugin-pseudo-*/ w,
to the /usr/lib/firefox/firefox{,*[^s][^h]} profile
However from the ask ubuntu question there is a larger problem
1st: You can manually put the sub profiles into complain mode by adding
flags=(complain) to the profiles
eg.
/usr/lib/firefox/firefox{,*[^s][^h]}//browser_java flags=(complain) {
...
}
I took a pass through the DENIED messages in the ask ubuntu question and a
first pass at the rules to add to
/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk follows. Please note
there may be more denied messages after these are added. Also you should check
/var/log/syslog for denied messages because ubuntu has turned on extended dbus
mediation and its denials do not go to the kernel ring buffer. Also this
profile should be reloaded to make sure the new rules are added.
/usr/bin/logger Pix, # choose transition that makes sense for your
profiles
/proc/sys/net/ipv4/ip_local_port_range r,
/proc/@{pid}/cmdline r,
owner @{HOME}/.mozilla/firefox/profiles.ini r,
owner /run/user/1000/dconf/user rw,
owner
/run/user/1000/icedteaplugin-franck-OzMRPQ/4468-icedteanp-plugin-to-appletviewer
r,
unix peer=(addr=@/tmp/dbus-* label=unconfined),
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1293439
Title:
Apparmor prevents icedtea-7-plugin from creating necessary files
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1293439/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
