Bug 143281

Summary: Insuffisient settings in default profiles, at least for man & gaim:
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Olli Artemjev <grey-olli>
Component: AppArmorAssignee: Seth R Arnold <seth.arnold>
Status: RESOLVED FIXED QA Contact: Dominic W Reynolds <dreynolds>
Severity: Major    
Priority: P3 - Medium Keywords: accessibility, easy_fix, Fix_No_Build
Version: Final   
Target Milestone: ---   
Hardware: i686   
OS: SuSE Linux 10.0   
Whiteboard:
Found By: Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Olli Artemjev 2006-01-15 06:02:43 UTC 
I've the following REJECTs on my system, that probably OK to allow (I dont' include others):
skylab:~ # grep "SubDomain: REJECTING r access to " /var/log/warn | awk -- '{print $6,$7,$8,$9,$10,$11,$13,$14,$15,$16}'| grep man | uniq
SubDomain: REJECTING r access to /opt/gnome/man/man1 profile /usr/lib/man-db/man active /usr/lib/man-db/man)
skylab:~ # grep "SubDomain: REJECTING " /var/log/warn | grep " access to "| grep gaim | grep -v font | grep mcop| uniq | awk -- '{print $6,$7,$8,$9,$10,$11}' | sort|uniq
SubDomain: REJECTING r access to /home/olli/.mcop/random-seed
SubDomain: REJECTING w access to /home/olli/.mcop/random-seed
skylab:~ # grep "SubDomain: REJECTING r access to " /var/log/warn | grep gaim | grep font | uniq | awk -- '{print $6,$7,$8,$9,$10,$11}'|sort|uniq
SubDomain: REJECTING r access to /usr/local/share/fonts
SubDomain: REJECTING r access to /usr/local/share/fonts/fonts.cache-1
skylab:~ # grep "SubDomain: REJECTING " /var/log/warn | grep " access to "| grep /gaim | grep -v font | grep -v mcop | uniq | awk -- '{print $6,$7,$8,$9,$10,$11}'| grep sox | sort|uniq
SubDomain: REJECTING r access to /usr/bin/sox
SubDomain: REJECTING x access to /usr/bin/sox
skylab:~ # grep "SubDomain: REJECTING " /var/log/warn | grep " access to "| grep /gaim | grep -v font | grep -v mcop | uniq | awk -- '{print $6,$7,$8,$9,$10,$11}'|grep name|sort|uniq
SubDomain: REJECTING r access to /bin/basename
SubDomain: REJECTING r access to /bin/uname
SubDomain: REJECTING x access to /bin/basename
SubDomain: REJECTING x access to /bin/uname
skylab:~ #

The uname's needed if specifying play as sound player.

I'm setting this to major since some man pages will be blocked w/ default profiles.
Comment 1 Dominic W Reynolds 2006-01-31 00:39:12 UTC 
OK. thanks. will update profiles. i'll close this bug when a maintenance fix is scheduled for release.
Comment 2 Olli Artemjev 2006-02-11 04:36:51 UTC 
That's more thing that should be allowed:
==============log========================
Feb 11 07:02:00 skylab kernel: SubDomain: REJECTING r access to /usr/share/texmf/teTeX/man/man1/xdvi.1.gz (man(3325) profile /usr/lib/man-db/man active /usr/lib/man-db/man)
Feb 11 07:02:02 skylab kernel: SubDomain: REJECTING r access to /usr/share/texmf/teTeX/man/man1/xdvi.1.gz (man(3325) profile /usr/lib/man-db/man active /usr/lib/man-db/man)
==============log========================

Due to that I had the following case, when tried to remind '-s' switch:

==============terminal========================
$ man xdvi

Beware: man aliased to: man -a .

man: can't open /usr/share/texmf/teTeX/man/man1/xdvi.1.gz: Permission denied
No manual entry for xdvi
==============terminal========================
That's obviousely wrong answer. =)
Comment 3 Dominic W Reynolds 2007-01-26 22:35:14 UTC 
Seth. A few more updates here. Can we stick these in extras ad close.
Comment 4 Seth R Arnold 2007-01-26 22:58:26 UTC 
Thanks Olli; I integrated the manpage fix and most of the gaim fixes; i'm disinclined to add the 'play' line, though, as that feels too much like a local configuration option to me. (You like play, someone else may like mplayer or xine or sox..)