Open Druco opened 5 years ago
Just wanted to make a correction that adding:
owner @{XDG_CONFIG_HOME}/redshift/redshift.conf r,
to the usr.bin.redshift file does not fix the problem. I didn't notice that what actually occurred was that apparmor crashed when this line was added so it looked like it was working.
This is a common pitfall of AppArmor profiles and LSM policy in general. There are standard variables in /etc/apparmor.d/tunables
, but none seem to apply to this situation.
I'd recommend to add
alias @{HOME}/.config/ -> @{HOME}/.config.tumbleweed/,
in /etc/apparmor.d/tunables/alias and to run rcapparmor reload
afterwards.
I'd recommend to add
alias @{HOME}/.config/ -> @{HOME}/.config.tumbleweed/,
in /etc/apparmor.d/tunables/alias and to run
rcapparmor reload
afterwards.
Thanks, I'll give that a try. So far I have just put the files in .config rather than .config.tumbleweed and that has worked well enough. It sounds like this is really a problem with AppArmor itself needing to be updated to handle the XDG standard. Thanks for the response and as far as I am concerned the bug can be closed.
Describe the bug With XDG_CONFIG_HOME set to something other than $HOME/.config, the supplied apparmor profile DENIES the file access to the redshift.conf file. Adding the line: owner @{XDG_CONFIG_HOME}/redshift/redshift.conf r, to the usr.bin.redshift file fixes this when running redshift from the command line. It does not fix it when running redshift-gtk however.
To Reproduce Steps to reproduce the behavior:
Expected behavior Parameters specified in $XDG_CONFIG_HOME/redshift/redshift.conf should be used rather than default values (or those in ~/.config/redshift/redshift.conf).
Error output/logs/screenshots In /var/log/audit/audit.log the error is: type=AVC msg=audit(1550535771.076:213): apparmor="DENIED" operation="open" profile="/usr/bin/redshift" name="/home/username/.config.tumbleweed/redshift/redshift.conf" pid=5793 comm="redshift" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Software versions (please complete the following information):