gdm & gnome couldn't start after upgrading to the latest apparmor.d

[EricLin0509]

Here is the log I found, most of the logs were about systemd
apparmor="DENIED" operation="file_receive" class="file" profile="gdm-session-worker" name="/run/systemd/sessions/27.ref" comm="gdm-session-wor" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 FSUID="root" OUID="root" apparmor="DENIED" operation="file_receive" class="file" profile="gdm-session-worker" name="/run/systemd/sessions/29.ref" comm="gdm-session-wor" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 FSUID="root" OUID="root" apparmor="DENIED" operation="file_receive" class="file" profile="gdm-session-worker" name="/run/systemd/sessions/30.ref" comm="gdm-session-wor" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 FSUID="root" OUID="root" apparmor="DENIED" operation="file_receive" class="file" profile="gdm-session-worker" name="/run/systemd/sessions/31.ref" comm="gdm-session-wor" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 FSUID="root" OUID="root" apparmor="DENIED" operation="file_inherit" class="file" profile="gnome-session-binary//open" name="/dev/tty1" comm="gio-launch-desk" requested_mask="wr" denied_mask="wr" fsuid=120 ouid=120 FSUID="gdm" OUID="gdm" apparmor="DENIED" operation="file_inherit" class="file" profile="xdg-desktop-portal" name="/dev/tty1" comm="xdg-desktop-por" requested_mask="wr" denied_mask="wr" fsuid=120 ouid=120 FSUID="gdm" OUID="gdm" apparmor="DENIED" operation="file_inherit" class="file" profile="xdg-document-portal" name="/dev/tty1" comm="xdg-document-po" requested_mask="wr" denied_mask="wr" fsuid=120 ouid=120 FSUID="gdm" OUID="gdm" apparmor="DENIED" operation="file_inherit" class="file" profile="xdg-permission-store" name="/dev/tty1" comm="xdg-permission-" requested_mask="wr" denied_mask="wr" fsuid=120 ouid=120 FSUID="gdm" OUID="gdm" apparmor="DENIED" operation="file_inherit" class="file" profile="xdg-desktop-portal-gnome" name="/dev/tty1" comm="xdg-desktop-por" requested_mask="wr" denied_mask="wr" fsuid=120 ouid=120 FSUID="gdm" OUID="gdm" apparmor="DENIED" operation="file_inherit" class="file" profile="gjs-console" name="/dev/tty1" comm="gjs" requested_mask="wr" denied_mask="wr" fsuid=120 ouid=120 FSUID="gdm" OUID="gdm" apparmor="DENIED" operation="file_receive" class="file" profile="gsd-media-keys" name="/run/systemd/inhibit/2.ref" comm="gdbus" requested_mask="w" denied_mask="w" fsuid=120 ouid=0 FSUID="gdm" OUID="root" apparmor="DENIED" operation="file_receive" class="file" profile="upowerd" name="/run/systemd/inhibit/3.ref" comm="gdbus" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 FSUID="root" OUID="root" apparmor="DENIED" operation="file_receive" class="file" profile="gsd-media-keys" name="/run/systemd/inhibit/4.ref" comm="gdbus" requested_mask="w" denied_mask="w" fsuid=120 ouid=0 FSUID="gdm" OUID="root" apparmor="DENIED" operation="file_inherit" class="file" profile="xdg-desktop-portal-gtk" name="/dev/tty1" comm="xdg-desktop-por" requested_mask="wr" denied_mask="wr" fsuid=120 ouid=120 FSUID="gdm" OUID="gdm" apparmor="DENIED" operation="file_receive" class="file" profile="colord" name="/var/lib/gdm/.local/share/icc/edid-72464b98f7dd4cc9327ee3ebcc11c8dd.icc" comm="gdbus" requested_mask="r" denied_mask="r" fsuid=968 ouid=120 FSUID="colord" OUID="gdm" apparmor="DENIED" operation="file_inherit" class="file" profile="gnome-keyring-daemon" name="/dev/tty1" comm="gnome-keyring-d" requested_mask="wr" denied_mask="wr" fsuid=120 ouid=120 FSUID="gdm" OUID="gdm" apparmor="DENIED" operation="open" class="file" profile="gnome-session-binary" name="/var/lib/gdm/.cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-9" comm="gnome-session-f" requested_mask="r" denied_mask="r" fsuid=120 ouid=120 FSUID="gdm" OUID="gdm" apparmor="DENIED" operation="file_inherit" class="file" profile="xkbcomp" name="/dev/tty3" comm="xkbcomp" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 FSUID="EricLin" OUID="EricLin" apparmor="DENIED" operation="file_inherit" class="file" profile="xbrlapi" name="/dev/tty3" comm="xbrlapi" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 FSUID="EricLin" OUID="EricLin" apparmor="DENIED" operation="file_receive" class="file" profile="gnome-shell" name="/run/systemd/inhibit/10.ref" comm="gdbus" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 FSUID="EricLin" OUID="root" apparmor="DENIED" operation="file_receive" class="file" profile="gsd-media-keys" name="/run/systemd/inhibit/11.ref" comm="gdbus" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 FSUID="EricLin" OUID="root" apparmor="DENIED" operation="file_receive" class="file" profile="gsd-power" name="/run/systemd/inhibit/12.ref" comm="gdbus" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 FSUID="EricLin" OUID="root" apparmor="DENIED" operation="file_receive" class="file" profile="gsd-media-keys" name="/run/systemd/inhibit/13.ref" comm="gdbus" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 FSUID="EricLin" OUID="root" apparmor="DENIED" operation="file_receive" class="file" profile="colord" name="/home/EricLin/.local/share/icc/edid-72464b98f7dd4cc9327ee3ebcc11c8dd.icc" comm="gdbus" requested_mask="r" denied_mask="r" fsuid=968 ouid=1000 FSUID="colord" OUID="EricLin"

[roddhjav]

Hum, that is problematic... Most of these rules are already included and should works fine with @{att} defined to / (default).

To give some context, this is related to: https://apparmor.pujol.io/development/internal/#re-attached-path

A feature that is not enabled yet as it still needs a bit of testing in profiles. However, it seems the non-enabled stage is raising some issues.

[roddhjav]

It should be fixed now. Can you confirm on your side? See #559 for the context.

[EricLin0509]

OK, it works, thank you a lot.