AppArmor does not support non-standard home directory locations - automatic discovery of home directories

I think this is not a bug but intended behaviour. Apparmor is all about restricting access to locations on disc after all;-)

I'd recommend tuning /etc/apparmor.d/tunables/home to include your custom homedir location(s). That should fix all of the apparmor profiles for your setup (even though it might not, apparmor is still pretty raw in ubuntu IMHO). Well, any breakage after the change I proposed is a new bug:-)

Best regards,
Tobias

Please put cupsd in complain mode for apparmor with :
sudo aa-complain cupsd

and retry your bug.

/var/log/messages with sudo aa-complain cupsd

Oct 12 10:32:03 merkur kernel: [ 7942.556000] audit(1192177922.828:17): type=1502 operation="capable" name="dac_override" pid=6971 profile="/usr/lib/cups/backend/cups-pdf"
Oct 12 10:32:03 merkur kernel: [ 7942.628000] audit(1192177922.828:18): type=1502 operation="inode_create" requested_mask="w" denied_mask="w" name="/myhome/kofler/PDF/Welcome_to_LWN_net__LWN_net_.pdf" pid=6974 profile="/usr/lib/cups/backend/cups-pdf"
Oct 12 10:32:03 merkur kernel: [ 7942.884000] audit(1192177923.328:19): type=1502 operation="setattr" requested_mask="w" denied_mask="w" attribute="mode,ctime," name="/myhome/kofler/PDF/Welcome_to_LWN_net__LWN_net_.pdf" pid=6972 profile="/usr/lib/cups/backend/cups-pdf"

@hunger:

if I change @HOMEDIRS in /etc/apparmor.d/tunables/home like this:

@{HOMEDIRS}=/home/ /myhome/

PDF generation works fine; no negative side-effects so far

thanks for the hint!

It would be nice if there is an easy way to configure AppArmor for non-standard home (and system) directory locations, by some config tool or automatically whenever a new user gets added. Also the post-install script of AppArmor could discover where user home directories are placed and adapt the AppArmor configuration.

I've added a note to the AppArmor (https://help.ubuntu.com/community/AppArmor) guide about customizing profiles with non-standard home directories.

Actually I think it is a bad idea to automagically change apparmour settings around: Its sole purpose is to restrict access after all.

Either you care about the extra security layer apparmor provides: You will not want random scripts to change settings around for you. E.g. I have a couple of system users with non-standard homedirs: I do want apparmor to prvent some service from writting there. So please don't try to make apparmor clever and auto-add homedirs!

If you do not care for this extra security layer then you can just deinstall the whole thing and don't need to worry about it.

It is great that Mathias documented this though!

I agree that we can't automagically change apparmor settings at runtime. However, we should discuss ways to improve this usability issue. This topic is planned for Lucid UDS.

This was actually fixed for Lucid in 2.5~pre+bzr1362-0ubuntu2 where apparmor will use the /etc/apparmor.d/tunables/home.d directory and prepopulate HOMEDIRS on upgrades.