Qubes-Whonix-12
Followed steps from https://www.whonix.org/wiki/AppArmor to set kernelopts for Whonix Templates and existing AppVMs.
Installed AppArmor Profiles from Whonix Testers Repository. Reboot all VMs.
In existing AppVMs, okular & gwenview behave as expected: access (rw) is granted to /home/user/ and /home/user/Downloads. access ® is denied to /home/user/somethingelse.
Created new AppVMs based on existing Templates. kernelopts are inherited. env var $HOME=/home/user. Running okular generates many DENIED operations (not present on Existing AppVMs):
Apr 15 22:23:20 host kernel: [ 17.718374] audit: type=1400 audit(1460759000.626:17): apparmor="DENIED" operation="exec" profile="/usr/bin/okular" name="/bin/dash" pid=2044 comm="okular" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Apr 15 22:23:20 host kernel: [ 17.779099] audit: type=1400 audit(1460759000.686:18): apparmor="DENIED" operation="exec" profile="/usr/bin/okular" name="/bin/dash" pid=2048 comm="kdeinit4" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Apr 15 22:23:20 host kernel: [ 17.825963] audit: type=1400 audit(1460759000.732:19): apparmor="DENIED" operation="open" profile="/usr/bin/okular" name="/usr/share/kde-power-savings-disable-in-vms/share/config/kdedrc" pid=2050 comm="kded4" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 15 22:23:20 host kernel: [ 17.826143] audit: type=1400 audit(1460759000.733:20): apparmor="DENIED" operation="open" profile="/usr/bin/okular" name="/usr/share/kde-lowfat/share/config/kdedrc" pid=2050 comm="kded4" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 15 22:23:20 host kernel: [ 17.973326] audit: type=1400 audit(1460759000.880:21): apparmor="DENIED" operation="open" profile="/usr/bin/okular" name="/usr/share/kde-power-savings-disable-in-vms/share/config/kdedrc" pid=2051 comm="kded4" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 15 22:23:20 host kernel: [ 17.973367] audit: type=1400 audit(1460759000.880:22): apparmor="DENIED" operation="open" profile="/usr/bin/okular" name="/usr/share/kde-lowfat/share/config/kdedrc" pid=2051 comm="kded4" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 15 22:23:20 host kernel: [ 18.040736] audit: type=1400 audit(1460759000.947:23): apparmor="DENIED" operation="open" profile="/usr/bin/okular" name="/usr/share/mime/" pid=2052 comm="kbuildsycoca4" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 15 22:23:20 host kernel: [ 18.040758] audit: type=1400 audit(1460759000.947:24): apparmor="DENIED" operation="open" profile="/usr/bin/okular" name="/home/user/.kde/share/kde4/services/" pid=2052 comm="kbuildsycoca4" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Apr 15 22:23:20 host kernel: [ 18.040775] audit: type=1400 audit(1460759000.947:25): apparmor="DENIED" operation="open" profile="/usr/bin/okular" name="/usr/share/kde-power-savings-disable-in-vms/share/kde4/services/" pid=2052 comm="kbuildsycoca4" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 15 22:23:20 host kernel: [ 18.088457] audit: type=1400 audit(1460759000.995:26): apparmor="DENIED" operation="open" profile="/usr/bin/okular" name="/usr/share/kde-power-savings-disable-in-vms/share/kde4/services/plasma-applet-batterymonitor.desktop" pid=2052 comm="kbuildsycoca4" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Also, DENIED access to /home/user:
Apr 15 23:43:29 host kernel: [ 4827.022576] audit: type=1400 audit(1460763809.929:108): apparmor="DENIED" operation="open" profile="/usr/bin/okular" name="/home/user/" pid=3910 comm="kio_file" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000`
Tried aa-complain, followed by aa-logprof. No changes proposed.
Tried aa-disable /etc/apparmor.d/usr.bin.okular. Still no access to /home/user.
Maybe not apparmor related?
Feels like I need to initialize something without apparmor present?