On Tue, 27 Nov 2018 19:43:32 +0100 Christian Boltz <opensuse@cboltz.de> wrote:
I didn't understand the options in aa-logprof so I followed your manual instructions:
What exactly in aa-logprof was hard to understand? I'm always open for improvements ;-)
Probably nothing at all wrong with your prog, but I did not have time to read the man page yet. I was shown a list of profiles (3?), one with wildcards, and had no idea which one even to deal with, or maybe it was all 3 to be worked. I also tried the gui version of it with same "what do I do here" result.
That said, you can also update the profiles manually: [...] Then run rcapparmor reload and everything should work as expected. This didn't work. The messages are now gone from aa-logprof, but running:
"updatedb -l 0 -o /home/rsil/Downloads/rsildb -U /home/rsil"
...still gives me the message:
"updatedb: can not open a temporary file for `/home/rsil/Downloads/rsildb'"
I checked my entries for any typos but all is good there...?
Maybe you need additional permissions I didn't guess from just reading and adjusting the profiles.
Start tail -f /var/log/audit/audit.log as root and try updatedb again. You'll probably get some log entries - just paste them (in your next mail or paste.opensuse.org, depending on the size) so that I can see what's going on.
The paste is at: http://paste.opensuse.org/d3ec73bc
You can/should also run aa-complain /etc/apparmor.d/usr.bin.updatedb to switch the profile to learning mode so that we see everything that would be denied instead of only the first issue. Don't forget to switch the profile back to enforce mode with aa-enforce when it's updated ;-)
No opportunity for this yet...
Just to be sure, even if if sounds unlikely - did you check the owner and directory permissions of /home/rsil/Downloads/ and the owner and permissions of the existing "rsildb*" file(s)? If the filesystem permissions deny access, AppArmor won't change anything ;-)
Entire /home/rsil is restricted to owner, rw(x). No rights/access to group or others. The db is -rw------- and the directories path to it are all drwx------. Thanks for the assistance. Ralph -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org