Anyone using Apparmor?

Discussion in 'all things UNIX' started by Hungry Man, Mar 11, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I'm on Ubuntu and have configured AppArmor for OpenJDK 7 and the Chromium Renderer.

    I'm having some problems though, a lot of guides say to do things like "sudo aa complain" or some such thing but it just gives me "aa is not a valid command."

    I've managed to get the Chromium renderer and OpenJDK working... I think.

    I have 38 profiles loaded, 16 profiles in enforce mode (including the renderer and
    22 profiles in complain mode

    I then have 27 processes with profiles defined
    3 processes in enforce mode
    24 processes are unconfirmed but have profiles.

    I'm not sure I really understand what all of that means.

    Pidgin is "unconfirmed but has a profile" - how can I enforce that profile?

    Thanks.

    EDIT: OK I figured out how to put them in enforce. Anyone else using profiles?
     
    Last edited: Mar 11, 2012
  2. x942

    x942 Guest

    I'm using Apparmor on my XUbuntu machine. I have it cover all of the profiles in enforce mode. Now I see chromium there but is chrome protected or not? I see no mention of this.

    I prefer selinux over apparmor. It's more flexible in my experience.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I would rather use SELinux but it isn't supported as well in Ubuntu (No profiles by default I don't think) so I'll just make due with AppArmor.

    I don't believe Chrome has an apparmor profile, you'd have to make one.

    Is sandboxing Flash possible?
     
    Last edited: Mar 11, 2012
  4. x942

    x942 Guest

    Agreed.

    This is what I have been using to create profiles http://ubuntuforums.org/showthread.php?t=1008906

    Trying to do a Chrome one now.

    Flash should be possible. Are you using firefox or chrome? If chrome I would just protect that as Flash is already sandboxed so you would have two sandboxes already no need for a third really
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I'm using Chromium 64bit. Neither Chrome nor Chromium 64bit comes with bundled Flash, which sucks. I'm not sure if it's runnign sandboxed.

    I chose Chromium because of the seccomp sandbox, which isnt available in Chrome. It also comes with apparmor profiles, which is convenient.

    I actually set up a Chromium apparmor profile but it wouldn't launch. I can only use it on the renderer process.

    edit: after having my Chromium apparmor in complain for a while enforcing seems to work. Are logged errors from complain mode automatically moved to the enforce profile?
     
    Last edited: Mar 11, 2012
  6. x942

    x942 Guest

    I guess your right. Chromium doesnt have flash so it probably isn't sandboxed separately. Maybe if you use the switch --safe-plugins?

    I use chrome solely because the chromium dev takes forever to be pushed to the ubuntu repos while chrome dev is there immediately. I don't know why there's a delay in chromium repos.

    I'm trying to put together a profile for chrome right now. I know you can use aa-genprof to create a very basic profile. Maybe you can use that to start, and than put the errors into the profile so everything works and finally enforce it. I know aa-genprof puts it in complain mode by default I don't know if it will take the errors into the enforced profile auto-magically though.

    EDIT: Chrome 64 doesn't have flash baked in? I thought there was 64 bit flash? Glad I still run 32 bit with PAE.
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Safe-plugins isn't support anymore, unfortunately.

    I'd rather have seccomp than apparmor, honestly. Using Chrome means giving up seccomp. With chromium I get both apparmor and seccomp, which is very nice.

    Yeah, it sucks. It's an Adobe thing though I think.
     
  8. x942

    x942 Guest

    How long does it take for Chromium updates to get pushed? I know it was taking over 2 weeks at one point.

    Maybe I will switch back and give it a try with seccomp.
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Right now it seems to be entirely up to date. I've only been using this install of Ubuntu for ~16 hours lol so I'm really not sure how good it is at updating or when/ how they decide to push one out.

    http://askubuntu.com/questions/89058/how-to-install-the-latest-stable-version-of-chromium
    This seems to have information on chromium, including a "daily builds" ppa.

    edit: Installing form there seems to have disabled the seccomp sandbox... how odd.
     
    Last edited: Mar 11, 2012
  10. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    If you want latest cutting edge Chrome, then Google Chrome is the best way, the Chromium version is now being updated regularly but still falls one version short compared to Google Chrome.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    For whatever reason Chrome doesn't support the seccomp sandbox.

    Also, Chromium seems broken after a reboot if I have it set to enforce.

    EDIT: I now have Chromium @ Version 18.
     
    Last edited: Mar 12, 2012
  12. x942

    x942 Guest

    I didn't know that. Are exploit patches still pushed down to the chromium branch at the same time? That's really all I care about when it comes to updates anyways.

    HM:

    I just reinstalled too. Now it's at the latest version before that it was behind. apt-get never seemed to see the repo as updated I guess. Maybe I messed something up.

    Chrome's latest Version 19.0.1061.1 dev Chromium seems to be at 18.something.

    I wish it did support it that would be awesome!

    Seems to work fine for me. What are you running stable,beta or dev? I'm running Dev on my XUbuntu 11.10 laptop. All profiles are enforced.
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    18.0.997.0 (Developer Build 116462 Linux) Ubuntu 11.10

    Upload your profile?

    EDIT: The chrome renderer apparmor works fine. It's the chrome-browser that seems to break it.
     
  14. x942

    x942 Guest

    For chromium? It's:

    Code:
    # Author: Jamie Strandboge <jamie@canonical.com>
    #include <tunables/global>
    
    /usr/lib/chromium-browser/chromium-browser {
      #include <abstractions/audio>
      #include <abstractions/base>
      #include <abstractions/cups-client>
      #include <abstractions/dbus-session>
      #include <abstractions/fonts>
      #include <abstractions/freedesktop.org>
      #include <abstractions/gnome>
      #include <abstractions/nameservice>
      #include <abstractions/user-tmp>
    
      # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if
      # you want access to productivity applications, adjust the following file
      # accordingly.
      #include <abstractions/ubuntu-browsers.d/chromium-browser>
    
      # Networking
      network inet stream,
      network inet6 stream,
      @{PROC}/[0-9]*/net/if_inet6 r,
      @{PROC}/[0-9]*/net/ipv6_route r,
    
      # Should maybe be in abstractions
      /etc/mime.types r,
      /etc/mailcap r,
      /etc/xdg/xubuntu/applications/defaults.list r,
      owner @{HOME}/.local/share/applications/defaults.list r,
      owner @{HOME}/.local/share/applications/mimeinfo.cache r,
    
      @{PROC}/[0-9]*/fd/ r,
      @{PROC}/filesystems r,
      @{PROC}/ r,
      @{PROC}/[0-9]*/cmdline r,
      @{PROC}/[0-9]*/stat r,
      @{PROC}/[0-9]*/status r,
    
      # Newer chromium needs these now
      /sys/devices/pci[0-9]*/[0-9]*/class r,
      /sys/devices/pci[0-9]*/[0-9]*/device r,
      /sys/devices/pci[0-9]*/[0-9]*/irq r,
      /sys/devices/pci[0-9]*/[0-9]*/resource r,
      /sys/devices/pci[0-9]*/[0-9]*/vendor r,
    
      # Needed for the crash reporter
      owner @{PROC}/[0-9]*/auxv r,
    
      # chromium mmaps all kinds of things for speed.
      /etc/passwd m,
      /usr/share/fonts/truetype/**/*.tt[cf] m,
      /usr/share/fonts/**/*.pfb m,
      /usr/share/mime/mime.cache m,
      /usr/share/icons/**/*.cache m,
      owner /{dev,run}/shm/pulse-shm* m,
      owner @{HOME}/.local/share/mime/mime.cache m,
      owner /tmp/** m,
    
      @{PROC}/sys/kernel/shmmax r,
      owner /{dev,run}/shm/{,.}org.chromium.* mrw,
    
      /usr/lib/chromium-browser/*.pak mr,
      /usr/lib/chromium-browser/locales/* mr,
    
      # Noisy
      deny /usr/lib/chromium-browser/** w,
    
      # Make browsing directories work
      / r,
      /**/ r,
    
      # Allow access to documentation and other files the user may want to look
      # at in /usr
      /usr/{include,share,src}** r,
    
      # Default profile allows downloads to ~/Downloads and uploads from ~/Public
      owner @{HOME}/ r,
      owner @{HOME}/Public/ r,
      owner @{HOME}/Public/* r,
      owner @{HOME}/Downloads/ r,
      owner @{HOME}/Downloads/* rw,
    
      # Helpers
      /usr/bin/xdg-open ixr,
      /usr/bin/gnome-open ixr,
      /usr/bin/gvfs-open ixr,
      # TODO: kde, xfce
    
      # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/**
      # which is provided by abstractions/ubuntu-browsers.d/user-files).
      @{PROC}/[0-9]*/oom_adj w,
      /etc/firefox/profile/bookmarks.html r,
      owner @{HOME}/.mozilla/** k,
    
      # Chromium configuration
      owner @{HOME}/.pki/nssdb/* rwk,
      owner @{HOME}/.cache/chromium/ rw,
      owner @{HOME}/.cache/chromium/** rw,
      owner @{HOME}/.cache/chromium/Cache/* mr,
      owner @{HOME}/.config/chromium/ rw,
      owner @{HOME}/.config/chromium/** rwk,
      owner @{HOME}/.config/chromium/**/Cache/* mr,
      owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr,
      owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr,
    
      # Allow transitions to ourself and our sandbox
      /usr/lib/chromium-browser/chromium-browser ix,
      /usr/lib/chromium-browser/chromium-browser-sandbox cx -> chromium_browser_sandbox,
    
      # TODO: child profile
      /bin/ps Uxr,
      /usr/lib/chromium-browser/xdg-settings Ux,
      /usr/bin/xdg-settings Ux,
    
      # Site-specific additions and overrides. See local/README for details.
      #include <local/usr.bin.chromium-browser>
    
    profile chromium_browser_sandbox {
        # Be fanatical since it is setuid root and don't use an abstraction
        /lib/libgcc_s.so* mr,
        /lib{,32,64}/libm-*.so* mr,
        /lib/@{multiarch}/libm-*.so* mr,
        /lib{,32,64}/libpthread-*.so* mr,
        /lib/@{multiarch}/libpthread-*.so* mr,
        /lib{,32,64}/libc-*.so* mr,
        /lib/@{multiarch}/libc-*.so* mr,
        /lib{,32,64}/libld-*.so* mr,
        /lib/@{multiarch}/libld-*.so* mr,
        /lib{,32,64}/ld-*.so* mr,
        /lib/@{multiarch}/ld-*.so* mr,
        /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
        /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
        /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
        /usr/lib/libstdc++.so* mr,
        /etc/ld.so.cache r,
    
        # Required for dropping into PID namespace. Keep in mind that until the
        # process drops this capability it can escape confinement, but once it
        # drops CAP_SYS_ADMIN we are ok.
        capability sys_admin,
    
        # All of these are for sanely dropping from root and chrooting
        capability chown,
        capability fsetid,
        capability setgid,
        capability setuid,
        capability dac_override,
        capability sys_chroot,
    
        # *Sigh*
        capability sys_ptrace,
    
        @{PROC}/ r,
        @{PROC}/[0-9]*/fd/ r,
        @{PROC}/[0-9]*/oom_adj w,
    
        /usr/bin/chromium-browser r,
        /usr/lib/chromium-browser/chromium-browser Px,
        /usr/lib/chromium-browser/chromium-browser-sandbox r,
    
        owner /tmp/** rw,
      }
    }
    
    Chrome Dev aa-autodep:

    Code:
    # Last Modified: Sun Mar 11 22:37:24 2012
    #include <tunables/global>
    
    /opt/google/chrome/google-chrome flags=(complain) {
      #include <abstractions/base>
      #include <abstractions/bash>
    
    
    
      /bin/bash ix,
      /bin/readlink rix,
      /dev/tty rw,
      /opt/google/chrome/google-chrome r,
    
    }
    
    I am going to test out chrome and make it work hopefully!

    EDIT:

    Okay so after using aa-autodep to create a basic profile in complain mode you run chrome. Now running aa-logprof will show what happened and let you allow, deny, etc. each modification and add that to the profile.

    It would take a while but I'd assume you would just go through every option chrome has until you have a profile covering everything with no errors.
     
    Last edited by a moderator: Mar 12, 2012
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I'm going to try this for my Chromium and hopefully it'll fix whatever's causing issues.

    edit: Even with your config + using logprof it won't start with enforced mode. Are you using apparmor on the renderer? Perhaps that's the issue?
     
    Last edited: Mar 12, 2012
  16. x942

    x942 Guest


    Good luck! If it doesn't work you may want to try removing the profiles via apt-get or aptitude and reinstalling them, you never know it may have just been a bad download.
     
  17. x942

    x942 Guest

    This is everything I have:

    Code:
    37 profiles are in enforce mode.
       /bin/ping
       /sbin/dhclient
       /sbin/klogd
       /sbin/syslog-ng
       /sbin/syslogd
       /usr/bin/evince
       /usr/bin/evince-previewer
       /usr/bin/evince-thumbnailer
       /usr/lib/NetworkManager/nm-dhcp-client.action
       /usr/lib/chromium-browser/chromium-browser
       /usr/lib/chromium-browser/chromium-browser//browser_java
       /usr/lib/chromium-browser/chromium-browser//browser_openjdk
       /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
       /usr/lib/connman/scripts/dhclient-script
       /usr/lib/cups/backend/cups-pdf
       /usr/lib/dovecot/deliver
       /usr/lib/dovecot/dovecot-auth
       /usr/lib/dovecot/imap
       /usr/lib/dovecot/imap-login
       /usr/lib/dovecot/managesieve-login
       /usr/lib/dovecot/pop3
       /usr/lib/dovecot/pop3-login
       /usr/lib/firefox-10.0.2/firefox{,*[^s][^h]}
       /usr/lib/firefox-10.0.2/firefox{,*[^s][^h]}//browser_java
       /usr/lib/firefox-10.0.2/firefox{,*[^s][^h]}//browser_openjdk
       /usr/lib/lightdm/lightdm-guest-session-wrapper
       /usr/sbin/avahi-daemon
       /usr/sbin/cupsd
       /usr/sbin/dnsmasq
       /usr/sbin/dovecot
       /usr/sbin/identd
       /usr/sbin/mdnsd
       /usr/sbin/nmbd
       /usr/sbin/nscd
       /usr/sbin/smbd
       /usr/sbin/tcpdump
       /usr/sbin/traceroute
    29 profiles are in complain mode.
       /opt/google/chrome/google-chrome
       /opt/google/chrome/google-chrome//null-28
       /opt/google/chrome/google-chrome//null-29
       /opt/google/chrome/google-chrome//null-2a
       /opt/google/chrome/google-chrome//null-2b
       /opt/google/chrome/google-chrome//null-2c
       /opt/google/chrome/google-chrome//null-2c//null-2d
       /opt/google/chrome/google-chrome//null-2c//null-2d//null-2e
       /opt/google/chrome/google-chrome//null-2c//null-2d//null-2e//null-2f
       /opt/google/chrome/google-chrome//null-2c//null-30
       /opt/google/chrome/google-chrome//null-2c//null-31
       /opt/google/chrome/google-chrome//null-32
       /opt/google/chrome/google-chrome//null-33
       /opt/google/chrome/google-chrome//null-34
       /opt/google/chrome/google-chrome//null-35
       /opt/google/chrome/google-chrome//null-35//null-36
       /opt/google/chrome/google-chrome//null-35//null-36//null-37
       /opt/google/chrome/google-chrome//null-35//null-36//null-37//null-38
       /opt/google/chrome/google-chrome//null-35//null-39
       /opt/google/chrome/google-chrome//null-35//null-3a
       /opt/google/chrome/google-chrome//null-3b
       /opt/google/chrome/google-chrome//null-3c
       /opt/google/chrome/google-chrome//null-3d
       /opt/google/chrome/google-chrome//null-3e
       /opt/google/chrome/google-chrome//null-3e//null-3f
       /opt/google/chrome/google-chrome//null-3e//null-3f//null-40
       /opt/google/chrome/google-chrome//null-3e//null-3f//null-40//null-41
       /opt/google/chrome/google-chrome//null-3e//null-42
       /opt/google/chrome/google-chrome//null-3e//null-43
    4 processes have profiles defined.
    2 processes are in enforce mode.
       /sbin/dhclient (1520) 
       /usr/sbin/cupsd (1245) 
    0 processes are in complain mode.
    2 processes are unconfined but have a profile defined.
       /usr/sbin/avahi-daemon (1236) 
       /usr/sbin/avahi-daemon (1237) 
    
    I don't see anything about the renderer?

    EDIT: In case you don't know I got that output via the "apparmor_status" command.
     
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I have a /usr/lib/chromium apparmor profile, which I got from here:
    http://code.google.com/p/chromium/wiki/LinuxSandboxing

    I think this may be interfering with the chromium-browser one. edit: Nope.

    Are you using seccomp sandbox?
     
  19. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136

    The Chrome version I have got updated yesterday with .79 whereas Chromium PPA still has .78
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Code:
    49 profiles are loaded.
    39 profiles are in enforce mode.
       /bin/ping
       /dev/chromium/chrome/Hammer/chrome-renderer
       /sbin/dhclient
       /sbin/klogd
       /sbin/syslog-ng
       /sbin/syslogd
       /usr/bin/evince
       /usr/bin/evince-previewer
       /usr/bin/evince-thumbnailer
       /usr/bin/pidgin
       /usr/lib/NetworkManager/nm-dhcp-client.action
       /usr/lib/chromium-browser/chromium-browser//browser_java
       /usr/lib/chromium-browser/chromium-browser//browser_openjdk
       /usr/lib/connman/scripts/dhclient-script
       /usr/lib/cups/backend/cups-pdf
       /usr/lib/dovecot/deliver
       /usr/lib/dovecot/dovecot-auth
       /usr/lib/dovecot/imap
       /usr/lib/dovecot/imap-login
       /usr/lib/dovecot/managesieve-login
       /usr/lib/dovecot/pop3
       /usr/lib/dovecot/pop3-login
       /usr/lib/firefox-10.0.2/firefox{,*[^s][^h]}
       /usr/lib/firefox-10.0.2/firefox{,*[^s][^h]}//browser_java
       /usr/lib/firefox-10.0.2/firefox{,*[^s][^h]}//browser_openjdk
       /usr/lib/lightdm/lightdm-guest-session-wrapper
       /usr/lib/telepathy/mission-control-5
       /usr/lib/telepathy/telepathy-*
       /usr/sbin/avahi-daemon
       /usr/sbin/cupsd
       /usr/sbin/dnsmasq
       /usr/sbin/dovecot
       /usr/sbin/identd
       /usr/sbin/mdnsd
       /usr/sbin/nmbd
       /usr/sbin/nscd
       /usr/sbin/smbd
       /usr/sbin/tcpdump
       /usr/sbin/traceroute
    10 profiles are in complain mode.
       /etc/apparmor.d/usr.bin.chromium-browser
       /usr/lib/chromium-browser/chromium-browser
       /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
       /usr/lib/chromium-browser/chromium-browser//null-2c
       /usr/lib/chromium-browser/chromium-browser//null-2d
       /usr/lib/chromium-browser/chromium-browser//null-2e
       /usr/lib/chromium-browser/chromium-browser//null-2f
       /usr/lib/chromium-browser/chromium-browser//null-30
       /usr/lib/chromium-browser/chromium-browser//null-31
       /usr/lib/chromium-browser/chromium-browser//null-32
    31 processes have profiles defined.
    6 processes are in enforce mode.
       /sbin/dhclient (1177) 
       /usr/bin/pidgin (1916) 
       /usr/lib/telepathy/mission-control-5 (1807) 
       /usr/sbin/avahi-daemon (726) 
       /usr/sbin/avahi-daemon (728) 
       /usr/sbin/cupsd (984) 
    25 processes are in complain mode.
       /usr/lib/chromium-browser/chromium-browser (6748) 
       /usr/lib/chromium-browser/chromium-browser (6751) 
       /usr/lib/chromium-browser/chromium-browser (6753) 
       /usr/lib/chromium-browser/chromium-browser (6756) 
       /usr/lib/chromium-browser/chromium-browser (6784) 
       /usr/lib/chromium-browser/chromium-browser (6789) 
       /usr/lib/chromium-browser/chromium-browser (6854) 
       /usr/lib/chromium-browser/chromium-browser (6857) 
       /usr/lib/chromium-browser/chromium-browser (6875) 
       /usr/lib/chromium-browser/chromium-browser (6878) 
       /usr/lib/chromium-browser/chromium-browser (6884) 
       /usr/lib/chromium-browser/chromium-browser (6892) 
       /usr/lib/chromium-browser/chromium-browser (6897) 
       /usr/lib/chromium-browser/chromium-browser (6901) 
       /usr/lib/chromium-browser/chromium-browser (6904) 
       /usr/lib/chromium-browser/chromium-browser (6912) 
       /usr/lib/chromium-browser/chromium-browser (6915) 
       /usr/lib/chromium-browser/chromium-browser (6932) 
       /usr/lib/chromium-browser/chromium-browser (6942) 
       /usr/lib/chromium-browser/chromium-browser (6943) 
       /usr/lib/chromium-browser/chromium-browser (7074) 
       /usr/lib/chromium-browser/chromium-browser (7076) 
       /usr/lib/chromium-browser/chromium-browser (7094) 
       /usr/lib/chromium-browser/chromium-browser (7202) 
       /usr/lib/chromium-browser/chromium-browser (7242) 
    0 processes are unconfined but have a profile defined.
    
    That's what I've got.
     
  21. x942

    x942 Guest

    Interesting. Try running aa-disable on that profile and see if chromium will run normally.

    EDIT: So the command should be

    Code:
     sudo aa-disable /dev/chromium/chrome/Hammer/chrome-renderer 
    linuxforall:

    In that case I think i will stick with chrome. I'm running both right now with no issue (both dev channel) so I can at least swap between them.
     
  22. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Didn't work. It's not seccomp's sandbox either.
     
  23. x942

    x942 Guest

    I noticed you have more under chromium profiles than i do:
    Code:
     /etc/apparmor.d/usr.bin.chromium-browser
       /usr/lib/chromium-browser/chromium-browser
       /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
       /usr/lib/chromium-browser/chromium-browser//null-2c
       /usr/lib/chromium-browser/chromium-browser//null-2d
       /usr/lib/chromium-browser/chromium-browser//null-2e
       /usr/lib/chromium-browser/chromium-browser//null-2f
       /usr/lib/chromium-browser/chromium-browser//null-30
       /usr/lib/chromium-browser/chromium-browser//null-31
       /usr/lib/chromium-browser/chromium-browser//null-32
    I only have the first 3 lines.

    Maybe try disabling all the chromium profiles and see what happens?
     
  24. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Those are in complain mode though.
     
  25. x942

    x942 Guest

    Didn't notice that. Just to make sure did you run:

    Code:
    sudo /etc/init.d/apparmor reload
    After changing the profiles? I just remembered I had to do that on my laptop here before they took affect.
     
Loading...
Thread Status:
Not open for further replies.