I’ve been going through the SUSE hardening guide and thought it made sense to enable the default profiles provided for various applications in AppArmor; however, some seem to break functionality or simply aren’t applied.
If I enable the Evolution profile, or even just set it to complain I get this when I try to boot the app:
bwrap: setting up uid map: Permission denied
** (org.gnome.Evolution:12946): ERROR **: 16:28:30.988: Failed to fully launch dbus-proxy: Child process exited with code 1
Trace/breakpoint trap (core dumped)
For Nautilus I get this:
nautilus: error while loading shared libraries: libnautilus-extension.so.4: cannot open shared object file: Permission denied
And Firefox runs fine in enforce mode, however, it doesn’t show up as an active process so AppArmor isn’t really doing anything with it despite being set to.
Profiles distributed as part of openSUSE are enabled by default anyway. So it is absolutely unclear what you did. Also, you tagged your topic with “tumbleweed” and then you suddenly start talking about “SUSE hardening guide”. Tumbleweed is not SUSE.
Actually I was under the impression that profiles for user programs like Evolution and Firefox are disabled by default and their enforcement is left to the user’s discretion. When I first installed TW these programs were unconfined.
Yes you are totally correct, thank you. I inspected the contents of these profiles and they are indeed essentially stubs. I’ll have to work on proper profiles for them. Excuse my ignorance!
