https://bugzilla.novell.com/show_bug.cgi?id=772415 https://bugzilla.novell.com/show_bug.cgi?id=772415#c2 --- Comment #2 from David Kerkhof 2012-07-20 16:34:23 UTC --- Created an attachment (id=499449) --> (http://bugzilla.novell.com/attachment.cgi?id=499449) aa-status -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=772415 https://bugzilla.novell.com/show_bug.cgi?id=772415#c4 --- Comment #4 from David Kerkhof 2012-07-20 16:35:27 UTC --- Created an attachment (id=499451) --> (http://bugzilla.novell.com/attachment.cgi?id=499451) firefox profile -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=772415 https://bugzilla.novell.com/show_bug.cgi?id=772415#c6 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |dutchkind@txoriaskea.org --- Comment #6 from Christian Boltz 2012-07-20 19:29:22 CEST --- Thanks for the log and the profile! (In reply to comment #5)

A file called blueproximity.log which is in the root of my home dir can be loaded and read.

from abstractions/user-download: owner @{HOME}/[a-zA-Z0-9]* rwl, This explains why you can access ~/blueproximity.log

A folder created for this testing "tryout" can be entered although this time I couldn't access any files

from abstractions/user-write: owner @{HOME}/[a-zA-Z0-9]*/ rw, This explains why you can enter the ~/tryout/ folder

It doesn't seem consistent but at least allows things that shouldn't be allowed.

The examples you mentioned can be explained by the abstractions you include. (Maybe you should remove abstractions/user-download and abstractions/user-write from your firefox profile if they allow more than you like.) For the other things (before you hardened your profile) I'd need to see logs and the (old) profile, but I think (and hope ;-) that something[tm] allowed it - maybe from an abstraction. Do you have more examples of files that should not be accessable? If yes, I'll happily check them. Otherwise feel free to close the bug as ILEARNEDSOMETHING ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=772415 https://bugzilla.novell.com/show_bug.cgi?id=772415#c8 --- Comment #8 from Christian Boltz 2012-07-21 00:56:01 CEST --- (In reply to comment #7)

Are you sure nothing changed?

abstractions/user-write and abstractions/user-download were not modified since at least AppArmor 2.6. To be exact: those two files were last modified 2010-12-22 (no idea which AppArmor release this was). The permissions I listed in comment #6 were there even longer - the oldest version I can see in bzr (from 2007-04) already containted those permissions ;-) and the commit message talks about moving the files around, so they might be even older. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=772415 https://bugzilla.novell.com/show_bug.cgi?id=772415#c10 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED InfoProvider|dutchkind@txoriaskea.org | Resolution| |WORKSFORME --- Comment #10 from Christian Boltz 2012-07-23 00:09:04 CEST --- (In reply to comment #9)

this bug can be closed as ILEARNEDSOMETHING

Unfortunately that's no official bug resolution in bugzilla, so I'll use WORKSFORME ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.