Hello!
- I configured Xubuntu's AppArmor to my needs and installed the package with additional rules. I also started to create one for the "/usr/bin/wineserver process since I think that needs to be secured too.
LOCATION: /etc/apparmor.d/usr.bin.wineserver
MODE : complain
# Last Modified: Wed Jun 10 19:21:16 2009
#include <tunables/global>
/usr/bin/wineserver flags=(complain) {
#include <abstractions/base>
capability net_bind_service,
/usr/bin/wineserver mr,
/etc/nsswitch.conf r,
/etc/passwd mr,
/etc/ld.so.cache r,
/home/denton/.desktop/* r,
/home/denton/.ies4linux/ie6/* rw,
/home/denton/.ies4linux/ie6/dosdevices/c: r,
/home/denton/.ies4linux/ie6/drive_c/** rw,
/lib/ld-2.7.so mr,
/lib/tls/i686/cmov/libc-2.7.so mr,
/lib/tls/i686/cmov/libdl-2.7.so mr,
/lib/tls/i686/cmov/libnss_compat-2.7.so mr,
/lib/tls/i686/cmov/libnsl-2.7.so mr,
/lib/tls/i686/cmov/libnss_nis-2.7.so mr,
/lib/tls/i686/cmov/libnss_files-2.7.so mr,
/tmp/.wine-1000/** mr,
/usr/lib/libwine.so.1.0 mr,
}
- Unfortunately the log under "/var/log/audit/audit.log" provides me with that output:
type=APPARMOR_ALLOWED msg=audit(1244837586.256:7): type=1502 operation="inode_permission" requested_mask="r::" denied_mask="r::" name="/home/denton/.ies4linux/ie6/" pid=5630 profile="/usr/bin/wineserver" namespace="default"
type=APPARMOR_ALLOWED msg=audit(1244837586.256:8): type=1502 operation="inode_mkdir" requested_mask="w::" denied_mask="w::" name="/tmp/.wine-1000/" pid=5630 profile="/usr/bin/wineserver" namespace="default"
type=APPARMOR_ALLOWED msg=audit(1244837586.256:9): type=1502 operation="inode_mkdir" requested_mask="w::" denied_mask="w::" name="/tmp/.wine-1000/server-806-384047/" pid=5630 profile="/usr/bin/wineserver" namespace="default"
type=APPARMOR_ALLOWED msg=audit(1244837586.256:10): type=1502 operation="inode_create" requested_mask="w::" denied_mask="w::" name="/tmp/.wine-1000/server-806-384047/lock" pid=5631 profile="/usr/bin/wineserver" namespace="default"
type=APPARMOR_ALLOWED msg=audit(1244837586.256:11): type=1502 operation="file_lock" requested_mask="wk::" denied_mask="wk::" name="/tmp/.wine-1000/server-806-384047/lock" pid=5631 profile="/usr/bin/wineserver" namespace="default"
etc.
Does someone know why it complains about e.g. «equested_mask="r::" denied_mask="r::" name="/home/denton/.ies4linux/ie6/» although «/home/denton/.ies4linux/ie6/* rw,» is set in my profile?
I appreciate every help. Thanks!