@paride: RE: aa-notify aa-notify does not require the desktop-security-center snap. The desktop-security-center snap is required for permissions prompting which is a different feature, that is only available to snaps atm*.
aa-notify is after the fact updating of the profile similar to using aa- logprof. It is tailing the log file looking for denials. Which it then sends a desktop notification for. Clicking allow on the notification should pop-up a password request, and if that is granted it will use the same backend as aa-genprof/logprof to add the entry to the profile, which is saved to disk and then the apparmor_parser is kicked off to replace the profile by giving it the updated profile files. This after the fact update, will live update a running application/service however, unless the application/service may not try to access the file in question again until it is restarted, eg. say it tries to access a config file, and is denied so the service uses some internal defaults and starts running. It won't try to access the config file again until it is restarted, or at least told to reread its config. Can I get some clarification on what you mean by temporary. It sounds to me like the profile is never updated, and that openvpn never gets permission to access the file. Am I correct or is there a window where openvpn gets access. When you click allow do you get a window pop-up that asks for your password, to update the apparmor profile permissions? * permissions prompting is similar to aa-notify on the surface, but it uses an entirely different mechanism. First instead of after the fact it happen before the request gets denied. The kernel suspends the application, and sends an upcall to the system snapd daemon. That daemon routes the message to the users session, where a desktop agent prompts the user, and sends the response back to the system snapd daemon which handles updating the snaps apparmor policy. The desktop-security-center snap, provides the gui configuration interface for the feature. It has the toggle that tells snapd to enable permission prompting, and allows the user to delete the rules that they have added (but not the base apparmor profile). In fact beyond the desktop-security-center being required to enable the feature, it isn't actually needed for the feature to function. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/2098930 Title: openvpn profile doesn't allow access to files on home dir To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2098930/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
