On 2017-01-31 05:46 PM, Jean-Philippe Guérard wrote:
> I was able to reproduce the problem, but only using the flash plugin:
>
> Jan 31 23:38:34 tigreraye kernel: [221147.141240] audit: type=1400 audit(1485902314.881:3406): apparmor="DENIED" operation="mknod" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/dev/shm/org.chromium.CvbXEt" pid=11592 comm="plugin-containe" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
> Jan 31 23:38:34 tigreraye kernel: [221147.141263] audit: type=1400 audit(1485902314.881:3407): apparmor="DENIED" operation="mknod" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/dev/shm/org.chromium.5Am9iK" pid=11592 comm="plugin-containe" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Good, thanks for the additional information.
> I also tried the java plugin, but it does not use /dev/shm (it fails,
> but for another reason):
>
> Jan 31 23:43:49 tigreraye kernel: [221461.300441] audit: type=1400 audit(1485902629.062:6116995): apparmor="DENIED" operation="exec" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/usr/lib/jvm/java-8-oracle/jre/bin/java" pid=11779 comm="plugin-containe" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> Jan 31 23:43:49 tigreraye kernel: [221461.301683] audit: type=1400 audit(1485902629.062:6116996): apparmor="DENIED" operation="exec" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/usr/lib/jvm/java-8-oracle/jre/bin/java" pid=11780 comm="plugin-containe" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Yeah, it seems like the Oracle version of the JRE/JDK isn't authorized
in /etc/apparmor.d/abstractions/ubuntu-browsers.d/java. Even OpenJDK/JRE
8 isn't authorized. Both should be supported IMHO.
On 2017-01-31 05:46 PM, Jean-Philippe Guérard wrote: 4.881:3406) : apparmor="DENIED" operation="mknod" profile= "/usr/lib/ firefox/ firefox{ ,*[^s][ ^h]}" name="/ dev/shm/ org.chromium. CvbXEt" pid=11592 comm="plugin- containe" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 4.881:3407) : apparmor="DENIED" operation="mknod" profile= "/usr/lib/ firefox/ firefox{ ,*[^s][ ^h]}" name="/ dev/shm/ org.chromium. 5Am9iK" pid=11592 comm="plugin- containe" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
> I was able to reproduce the problem, but only using the flash plugin:
>
> Jan 31 23:38:34 tigreraye kernel: [221147.141240] audit: type=1400 audit(148590231
> Jan 31 23:38:34 tigreraye kernel: [221147.141263] audit: type=1400 audit(148590231
Good, thanks for the additional information.
> I also tried the java plugin, but it does not use /dev/shm (it fails, 9.062:6116995) : apparmor="DENIED" operation="exec" profile= "/usr/lib/ firefox/ firefox{ ,*[^s][ ^h]}" name="/ usr/lib/ jvm/java- 8-oracle/ jre/bin/ java" pid=11779 comm="plugin- containe" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 9.062:6116996) : apparmor="DENIED" operation="exec" profile= "/usr/lib/ firefox/ firefox{ ,*[^s][ ^h]}" name="/ usr/lib/ jvm/java- 8-oracle/ jre/bin/ java" pid=11780 comm="plugin- containe" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> but for another reason):
>
> Jan 31 23:43:49 tigreraye kernel: [221461.300441] audit: type=1400 audit(148590262
> Jan 31 23:43:49 tigreraye kernel: [221461.301683] audit: type=1400 audit(148590262
Yeah, it seems like the Oracle version of the JRE/JDK isn't authorized d/abstractions/ ubuntu- browsers. d/java. Even OpenJDK/JRE
in /etc/apparmor.
8 isn't authorized. Both should be supported IMHO.
Thanks,
Simon