[pkg-apparmor] Bug#867692: apparmor-profiles-extra: Totem can't open any video
intrigeri
intrigeri at debian.org
Tue Jul 25 07:06:42 UTC 2017
Hi,
Elia Argentieri:
> Oh... Now I know where the problem is... it's not that it can't play
> any video, it's that all my videos are on another hard disk! I can't
> keep all my videos on my SSD so, my Video folder is a symlink to a
> folder on my traditional hard disk. So I guess I'll have to grant totem
> the ability to read on my hard disk.
I think the best way to workaround this problem for you is to
add your other disk to /etc/apparmor.d/tunables/home.d/site.local.
Note that the "totem" abstraction already has:
/{media,mnt,opt,srv}/** r,
… so mounting your other hard-drive to one of these standard locations
should be enough.
Anyway, this part of the bug report is solved, let's focus on the
other bits.
> However, for the other errors, I'm using Debian testing updated, I
> tried on X.org and GNOME + Wayland and the results are the same. I do
> have gnome-nightly applications installed via flatpak, because Debian
> is slow at packaging GNOME 3.24.
OK. But the Totem you're running is Debian's, right?
> I added this line to /etc/apparmor.d/local/usr.bin.totem:
>> owner @{HOME}/.cache/mesa/** rwk,
> because otherwise it errors on many other files in that folder. That
> fixed the mesa cache problem.
Thanks. I've updated my merge request upstream (already applied in
testing/sid) with this rule:
https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/310120
> Then I added this line to /etc/apparmor.d/local/usr.bin.totem:
>> /var/lib/flatpak/exports/share/icons/** r,
> and that solved all errors. I can now open videos on my home with a
> clean audit.log.
Is it *needed* for Totem to work fine for you, once you've granted it
access to the video files you want to play?
I'd rather not start adding Flatpak-related rules everywhere around
the place before we decide what strategy we want upstream.
Likely the needed changes will be better made in abstractions rather
than in individual profiles.
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list