pulseaudio tries to create @{run}/user/@{uid}/dconf/

[beroal]

Hi. The pulseaudio profile tries to create the directory @{run}/user/@{uid}/dconf/, but this operation isn't allowed or denied. Should it be allowed?

type=AVC msg=audit(1640736194.447:2538): apparmor="DENIED" operation="mkdir" profile="pulseaudio" name="/run/user/1001/dconf/" pid=12848 comm="gsettings-helpe" requested_mask="c" denied_mask="c" fsuid=1001 ouid=1001FSUID="user" OUID="user"

[roddhjav]

Thank for the catch. Fixed.

[nobody43]

I'm afraid it's much more than that.
PA on Ubuntu, for example, requires extensive access to DBus. I've tried to look into this issue, but haven't managed to iron it out yet (#20).
BTW, upstream have a profile for pulseaudio:
https://gitlab.com/apparmor/apparmor-profiles/-/blob/master/ubuntu/20.04/usr.bin.pulseaudio

[roddhjav]

That possible yes. Sadly I don't use pulseaudio myself anymore (pipewire is more modern), so I cannot test it deeply. However, this profile used to work perfectly fine (on arch).

Thank for #20. Did you integrated upstream dbus rules? Did you test it?

[nobody43]

No, upstream is too relaxed on DBus, I'm taking my own approach.
The profile is not ready. Give me a couple of days and I'll undraft it.

[beroal]

I can post other problems I discovered if you like.

[nobody43]

https://github.com/roddhjav/apparmor.d/blob/a79fc3f17b53b93c52a6b87f332d59b92597ccf7/apparmor.d/profiles-m-r/pulseaudio
Please test the new PR and post problems. Also, what's your system?

[beroal]

I meant, problems with other profiles.