(for a few more PIDs, too). None of these PIDs exist any more after starting the session; the profile allows the guest session to look into /proc directories for processes which are owned by guest, nothing else. So these processes should belong to some other owners. However, I notice that e. g. seahorse complains about not being able to connect to the keyring, so apparently something needs fixing here.
In particular, I see:
[ 1212.557101] type=1400 audit(131910559 7.357:25) : apparmor="DENIED" operation="capable" parent=12004 profile= "/usr/lib/ lightdm/ lightdm- guest-session- wrapper" pid=12005 comm="fusermount" capability=1 capname= "dac_override" 7.357:26) : apparmor="DENIED" operation="capable" parent=12004 profile= "/usr/lib/ lightdm/ lightdm- guest-session- wrapper" pid=12005 comm="fusermount" capability=2 capname= "dac_read_ search"
[ 1212.557110] type=1400 audit(131910559
That's something that we really don't want to grant, and we should just hide the message.
[ 1212.589250] type=1400 audit(131910559 7.389:27) : apparmor="DENIED" operation="open" parent=11955 profile= "/usr/lib/ lightdm/ lightdm- guest-session- wrapper" name="/ proc/12009/ status" pid=12009 comm="gnome- keyring- d" requested_mask="r" denied_mask="r" fsuid=118 ouid=0
(for a few more PIDs, too). None of these PIDs exist any more after starting the session; the profile allows the guest session to look into /proc directories for processes which are owned by guest, nothing else. So these processes should belong to some other owners. However, I notice that e. g. seahorse complains about not being able to connect to the keyring, so apparently something needs fixing here.
[ 1213.832400] type=1400 audit(131910559 8.637:32) : apparmor="DENIED" operation="open" parent=12039 profile= "/usr/lib/ lightdm/ lightdm- guest-session- wrapper" name="/proc/2/stat" pid=12073 comm="killall" requested_mask="r" denied_mask="r" fsuid=118 ouid=0
This error message seems harmless.
[ 1228.269177] type=1400 audit(131910561 3.097:210) : apparmor="DENIED" operation="open" parent=12218 profile= "/usr/lib/ lightdm/ lightdm- guest-session- wrapper" name="/lib64/" pid=12219 comm="whereis" requested_mask="r" denied_mask="r" fsuid=118 ouid=0
We can allow reading/mapping /lib64, I'll add that.
[ 1243.784831] type=1400 audit(131910562 8.641:211) : apparmor="DENIED" operation="mknod" parent=11955 profile= "/usr/lib/ lightdm/ lightdm- guest-session- wrapper" name="/ usr/share/ system- config- printer/ debug.pyc" pid=12365 comm="applet.py" requested_mask="c" denied_mask="c" fsuid=118 ouid=118
mknod sounds like a no-no. s-c-p should have no business doing this. I'll hide the AA error.