Hi, On 10/02/2014 05:12 AM, Chris Wayne wrote: > It seems that recently a package (signon-apparmor-extension) has been > included that has been causing some issues > (see https://bugs.launchpad.net/savilerow/+bug/1376445).
I added a comment on the bug suggesting a fix. > Is there some apparmor policy group that I would need to include to be > able to access Online Accounts? We have some scopes using accounts, and > they're failing to get tokens with the following error: > GDBus.Error:com.google.code.AccountsSSO.SingleSignOn.Error.PermissionDenied: > Client has insuficient permissions to access the > service.Method:getAuthSessionObjectPath Unconfined applications can always access OA (so no, if your app is unconfined, apparmor doesn't block any access to OA), but then OA has its own ACL checks, and will allow only authorised processes to access the accounts. By default, all our plugins add "unconfined" to the account's ACL as soon as the account is created, in order to allow all unconfined processes to use the account. But the UbuntuOne plugin was not doing that. Can you please confirm that this problem only affects apps and scopes using the U1 account? Or does it affect other processes too? > Even when being run unconfined. Is this a bug, or is it just a change > in Online Accounts that needs to be accounted for? It's something that we should have noticed much earlier; I only recently found out that the signon-apparmor-extension was not installed on the image (and without it, any application can access any account, which is now what we want!), and asked Jamie to add it. Ciao, Alberto -- Mailing list: https://launchpad.net/~ubuntu-phone Post to : ubuntu-phone@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-phone More help : https://help.launchpad.net/ListHelp
