In enforce mode, Chromium won't start on my computer due to the fact that my computer has one level of subfolders more in /sys/devices/pci.../... than covered by the standard profile. As the folder structure in /sys/devices is something I didn't change, I'd suggest to add rules for that case to the profile.
The attached profile is working, my changes are on the top for your review (including some Ux rights for Flash).
ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: apparmor-profiles 2.7.0~beta1+bzr1774-1ubuntu2
ProcVersionSignature: Ubuntu 3.0.0-12.20-generic 3.0.4
Uname: Linux 3.0.0-12-generic x86_64
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Thu Nov 3 19:49:59 2011
Dependencies:
InstallationMedia: Lubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111012)
PackageArchitecture: all
ProcEnviron:
LANG=de_DE.UTF-8
SHELL=/bin/bash
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-3.0.0-12-generic root=UUID=48c22694-7660-428f-96f1-09999f29b260 ro quiet splash vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.apparmor.d.bin.ping: [modified]
modified.conffile..etc.apparmor.d.sbin.klogd: [modified]
modified.conffile..etc.apparmor.d.sbin.syslog.ng: [modified]
modified.conffile..etc.apparmor.d.sbin.syslogd: [modified]
modified.conffile..etc.apparmor.d.usr.lib.dovecot.deliver: [modified]
modified.conffile..etc.apparmor.d.usr.lib.dovecot.dovecot.auth: [modified]
modified.conffile..etc.apparmor.d.usr.lib.dovecot.imap: [modified]
modified.conffile..etc.apparmor.d.usr.lib.dovecot.imap.login: [modified]
modified.conffile..etc.apparmor.d.usr.lib.dovecot.managesieve.login: [modified]
modified.conffile..etc.apparmor.d.usr.lib.dovecot.pop3: [modified]
modified.conffile..etc.apparmor.d.usr.lib.dovecot.pop3.login: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.avahi.daemon: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.dnsmasq: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.dovecot: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.identd: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.mdnsd: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.nmbd: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.nscd: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.smbd: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.traceroute: [modified]
mtime.conffile..etc.apparmor.d.bin.ping: 2011-10-21T15:41:23.034082
mtime.conffile..etc.apparmor.d.sbin.klogd: 2011-10-21T15:41:24.954066
mtime.conffile..etc.apparmor.d.sbin.syslog.ng: 2011-10-21T15:41:25.982058
mtime.conffile..etc.apparmor.d.sbin.syslogd: 2011-10-21T15:41:25.326063
mtime.conffile..etc.apparmor.d.usr.bin.chromium.browser: 2011-11-03T19:26:10.592408
mtime.conffile..etc.apparmor.d.usr.lib.dovecot.deliver: 2011-10-21T15:42:11.877663
mtime.conffile..etc.apparmor.d.usr.lib.dovecot.dovecot.auth: 2011-10-21T15:42:12.541657
mtime.conffile..etc.apparmor.d.usr.lib.dovecot.imap: 2011-10-21T15:42:13.245651
mtime.conffile..etc.apparmor.d.usr.lib.dovecot.imap.login: 2011-10-21T15:42:13.897645
mtime.conffile..etc.apparmor.d.usr.lib.dovecot.managesieve.login: 2011-10-21T15:42:14.265642
mtime.conffile..etc.apparmor.d.usr.lib.dovecot.pop3: 2011-10-21T15:42:14.637639
mtime.conffile..etc.apparmor.d.usr.lib.dovecot.pop3.login: 2011-10-21T15:42:15.285633
mtime.conffile..etc.apparmor.d.usr.sbin.avahi.daemon: 2011-10-21T15:42:15.925627
mtime.conffile..etc.apparmor.d.usr.sbin.dnsmasq: 2011-10-21T15:42:18.773602
mtime.conffile..etc.apparmor.d.usr.sbin.dovecot: 2011-10-21T15:42:19.441597
mtime.conffile..etc.apparmor.d.usr.sbin.identd: 2011-10-21T15:42:20.253589
mtime.conffile..etc.apparmor.d.usr.sbin.mdnsd: 2011-10-21T15:42:20.861584
mtime.conffile..etc.apparmor.d.usr.sbin.nmbd: 2011-10-21T15:42:21.473578
mtime.conffile..etc.apparmor.d.usr.sbin.nscd: 2011-10-21T15:42:22.165572
mtime.conffile..etc.apparmor.d.usr.sbin.smbd: 2011-10-21T15:42:23.665559
mtime.conffile..etc.apparmor.d.usr.sbin.traceroute: 2011-10-21T15:42:25.389544
This bug was fixed in the package apparmor - 2.7.0-0ubuntu1
---------------
apparmor (2.7.0-0ubuntu1) precise; urgency=low
* New upstream release. Fixes the following: generation. patch logprof- log-search- order.patch introspection- tests.patch debian- integration- to-lighttpd. patch to 0002 patches/ 0003-commits- through- r1882.patch: several bug, patches/ 0004-lp887992. patch: cups-client abstraction should allow /.cups/ client. conf and @{HOME} /.cups/ lpoptions patches/ 0001-add- chromium- browser. patch for deeper patches/ 0005-lp884748. patch: allow kate as text editor in the patches/ 0006-lp870992. patch: abstractions/fonts should allow access patches/ 0007-lp860856. patch: allow read access to sitecustomize.py patches/ 0008-lp852062. patch: update binaries for transmission patches/ 0009-lp851977. patch: allow ixr access to exo-open for patches/ 0010-lp890894. patch: allow access to Thunar as well as patches/ 0011-lp817956. patch: update usr.sbin.sshd example profile patches/ 0012-lp458922. patch: update dovecot deliver profile to patches/ 0013-lp769148. patch: allow avahi to do dbus introspection patches/ 0014-lp904548. patch: fix typo for multiarch line for gconv patches/ 0015-lp712584. patch: Nvidia users need access to patches/ 0016-lp562831. patch: allow fireclam plugin to work patches/ 0017-lp662906. patch: allow software-center in the ubuntu patches/ 0018-deny- home-pki- so.patch: update private-files patches/ 0019-lp899963. patch: add audacity to the media-players abstraction (LP: #899963) patches/ 0020-lp912754a. patch,0021- lp912754b. patch: add p11-kit patches/ 0022-workaround -lp851986. patch: instead of using Ux
- LP: #794974
- LP: #815883
- LP: #840973
* Drop the following patches, included upstream:
- af_names-
- 0004-adjust-
- 0005-lp826914.patch
- 0006-lp838275.patch
- 0007-fix-
* Rename 0003-add-
* debian/
documentation and performance fixes on our road to AppArmor 2.8
(LP: #840734, LP: #905412)
* debian/
owner read of @{HOME}
(LP: #887992)
* update debian/
directories of /sys/devices/pci (LP: #885833)
* debian/
browsers abstraction (LP: #884748)
* debian/
to ~/.fonts.conf.d (LP: #870992)
* debian/
in the python abstraction, which is needed for apport hooks to work in
python applications (LP: #860856)
* debian/
clients (LP: #852062)
* debian/
Xubuntu and friends (LP: #851977)
* debian/
thunar in ubuntu-integration abstraction (LP: #890894)
* debian/
(LP: #817956)
* debian/
access various .conf files for dovecot (LP: #458922)
* debian/
(LP: #769148)
* debian/
(LP: #904548)
* debian/
/dev/nvidia* files for various plugins to work right. Since these are all
focused around multimedia, add the acceses to the multimedia abstraction.
(LP: #712584)
* debian/
(LP: #562831)
* debian/
integration browser abstraction (LP: #662906)
* debian/
abstraction to deny write and link to ~/.pki/nssdb/*so files (LP: #911847)
* debian/
ubuntu-
* debian/
abstraction and add it to the authentication abstraction (LP: #912754)
* debian/
in the ubuntu and launchpad abstractions, use a helper child profile.
This will help work around the lack of en...