diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 33957a48c..d9107cb34 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -75,7 +75,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /usr/share/doc/{,**} r, # - /usr/{lib,libexec}/gvfsd-metadata rPx -> gvfsd-metadata, + @{libexec}/gvfsd-metadata rPx -> gvfsd-metadata, # Firefox home files owner @{MOZ_HOMEDIR}/ rw, diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 447cefce5..a075e499c 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -29,7 +29,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}{lib,libexec}/* rPUx, + @{libexec}/* rPUx, /{usr/,}lib/ibus/ibus-* rPx, /{usr/,}bin/ r, /{usr/,}bin/[a-z0-9]* rPUx, diff --git a/apparmor.d/groups/desktop/accounts-daemon b/apparmor.d/groups/desktop/accounts-daemon index 9b6a9c709..a326a5bf2 100644 --- a/apparmor.d/groups/desktop/accounts-daemon +++ b/apparmor.d/groups/desktop/accounts-daemon @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/accountsservice/accounts-daemon -@{exec_path} += /usr/{lib,libexec}/accounts-daemon +@{exec_path} += @{libexec}/accounts-daemon profile accounts-daemon @{exec_path} { include include diff --git a/apparmor.d/groups/desktop/at-spi-bus-launcher b/apparmor.d/groups/desktop/at-spi-bus-launcher index 7054246b9..da1864937 100644 --- a/apparmor.d/groups/desktop/at-spi-bus-launcher +++ b/apparmor.d/groups/desktop/at-spi-bus-launcher @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}lib/at-spi2-core/at-spi-bus-launcher -@{exec_path} += /usr/{lib,libexec}/at-spi-bus-launcher +@{exec_path} += @{libexec}/at-spi-bus-launcher profile at-spi-bus-launcher @{exec_path} { include include diff --git a/apparmor.d/groups/desktop/at-spi2-registryd b/apparmor.d/groups/desktop/at-spi2-registryd index 697a9ae5f..2e67512cf 100644 --- a/apparmor.d/groups/desktop/at-spi2-registryd +++ b/apparmor.d/groups/desktop/at-spi2-registryd @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/at-spi2-core/at-spi2-registryd -@{exec_path} += /usr/{lib,libexec}/at-spi2-registryd +@{exec_path} += @{libexec}/at-spi2-registryd profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/desktop/blueman-mechanism b/apparmor.d/groups/desktop/blueman-mechanism index b0b554eff..da9a0543a 100644 --- a/apparmor.d/groups/desktop/blueman-mechanism +++ b/apparmor.d/groups/desktop/blueman-mechanism @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/{lib,libexec}/blueman-mechanism +@{exec_path} = @{libexec}/blueman-mechanism @{exec_path} += /{usr/,}lib/blueman/blueman-mechanism profile blueman-mechanism @{exec_path} { include @@ -24,7 +24,7 @@ profile blueman-mechanism @{exec_path} { @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, - /usr/{lib,libexec}/ r, + @{libexec}/ r, /var/lib/blueman/network.state rw, diff --git a/apparmor.d/groups/desktop/blueman-rfcomm-watcher b/apparmor.d/groups/desktop/blueman-rfcomm-watcher index a52a9ba0e..eaa7512b8 100644 --- a/apparmor.d/groups/desktop/blueman-rfcomm-watcher +++ b/apparmor.d/groups/desktop/blueman-rfcomm-watcher @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/{lib,libexec}/blueman-rfcomm-watcher +@{exec_path} = @{libexec}/blueman-rfcomm-watcher profile blueman-rfcomm-watcher @{exec_path} { include include @@ -14,7 +14,7 @@ profile blueman-rfcomm-watcher @{exec_path} { @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, - /usr/{lib,libexec}/ r, + @{libexec}/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/desktop/bluetoothd b/apparmor.d/groups/desktop/bluetoothd index f79d91670..30f501713 100644 --- a/apparmor.d/groups/desktop/bluetoothd +++ b/apparmor.d/groups/desktop/bluetoothd @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/bluetooth/bluetoothd -@{exec_path} += /usr/{lib,libexec}/bluetooth/bluetoothd +@{exec_path} += @{libexec}/bluetooth/bluetoothd profile bluetoothd @{exec_path} { include diff --git a/apparmor.d/groups/desktop/colord b/apparmor.d/groups/desktop/colord index f63c52325..12dd8522b 100644 --- a/apparmor.d/groups/desktop/colord +++ b/apparmor.d/groups/desktop/colord @@ -18,7 +18,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /{usr/,}lib/colord/colord-sane rPx, - /usr/{lib,libexec}/colord-sane rPx, + @{libexec}/colord-sane rPx, owner /var/lib/colord/** r, owner /var/lib/colord/.cache/ rw, diff --git a/apparmor.d/groups/desktop/colord-sane b/apparmor.d/groups/desktop/colord-sane index 9488de01d..0f3cfa1f6 100644 --- a/apparmor.d/groups/desktop/colord-sane +++ b/apparmor.d/groups/desktop/colord-sane @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/colord/colord-sane -@{exec_path} += /usr/{lib,libexec}/colord-sane +@{exec_path} += @{libexec}/colord-sane profile colord-sane @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/groups/desktop/colord-session b/apparmor.d/groups/desktop/colord-session index 624d63a03..78d639a5c 100644 --- a/apparmor.d/groups/desktop/colord-session +++ b/apparmor.d/groups/desktop/colord-session @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/colord/colord-session /usr/{lib,libexec}/colord-session +@{exec_path} = /{usr/,}lib/colord/colord-session @{libexec}/colord-session profile colord-session @{exec_path} flags=(complain) { include diff --git a/apparmor.d/groups/desktop/dconf-service b/apparmor.d/groups/desktop/dconf-service index 15a762603..8cc9e791c 100644 --- a/apparmor.d/groups/desktop/dconf-service +++ b/apparmor.d/groups/desktop/dconf-service @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/dconf/dconf-service /usr/{lib,libexec}/dconf-service +@{exec_path} = /{usr/,}lib/dconf/dconf-service @{libexec}/dconf-service profile dconf-service @{exec_path} flags=(attach_disconnected) { include diff --git a/apparmor.d/groups/desktop/obexd b/apparmor.d/groups/desktop/obexd index 95d016aeb..60764ea2d 100644 --- a/apparmor.d/groups/desktop/obexd +++ b/apparmor.d/groups/desktop/obexd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/{lib,libexec}/bluetooth/obexd +@{exec_path} = @{libexec}/bluetooth/obexd profile obexd @{exec_path} { include include diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 26d526e6a..5d854a89b 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -24,7 +24,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /{usr/,}bin/ r, /{usr/,}bin/[a-z0-9]* rPUx, - /usr/{lib,libexec}/** rPUx, + @{libexec}/** rPUx, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 0b97db89b..a65d97a74 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -37,9 +37,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/Xwayland rPx, - /{usr/,}{lib,libexec}/polkit-1/polkit* rPx, - /{usr/,}{lib,libexec}/* rPUx, + /{usr/,}bin/Xwayland rPx, + @{libexec}/polkit-1/polkit* rPx, + @{libexec}/* rPUx, /usr/share/backgrounds/{,**} r, /usr/share/desktop-directories/{,*.directory} r, diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index a41fcea34..5373623e8 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfs-afc-volume-monitor -@{exec_path} += /usr/{lib,libexec}/gvfs-afc-volume-monitor +@{exec_path} += @{libexec}/gvfs-afc-volume-monitor profile gvfs-afc-volume-monitor @{exec_path} { include diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index 172715a79..1eaa0116a 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfs-goa-volume-monitor -@{exec_path} += /usr/{lib,libexec}/gvfs-goa-volume-monitor +@{exec_path} += @{libexec}/gvfs-goa-volume-monitor profile gvfs-goa-volume-monitor @{exec_path} { include diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index 61712fff3..88864385c 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfs-gphoto2-volume-monitor -@{exec_path} += /usr/{lib,libexec}/gvfs-gphoto2-volume-monitor +@{exec_path} += @{libexec}/gvfs-gphoto2-volume-monitor profile gvfs-gphoto2-volume-monitor @{exec_path} { include include diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index eac62d54e..94978f25e 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfs-mtp-volume-monitor -@{exec_path} += /usr/{lib,libexec}/gvfs-mtp-volume-monitor +@{exec_path} += @{libexec}/gvfs-mtp-volume-monitor profile gvfs-mtp-volume-monitor @{exec_path} { include include diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 0eeac44ce..1acf578bb 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfs-udisks2-volume-monitor -@{exec_path} += /usr/{lib,libexec}/gvfs-udisks2-volume-monitor +@{exec_path} += @{libexec}/gvfs-udisks2-volume-monitor profile gvfs-udisks2-volume-monitor @{exec_path} { include include diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index b4c471778..d1d0a6b02 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd -@{exec_path} += /usr/{lib,libexec}/gvfsd +@{exec_path} += @{libexec}/gvfsd profile gvfsd @{exec_path} { include @@ -18,7 +18,7 @@ profile gvfsd @{exec_path} { # Don't strip env here. /{usr/,}lib/gvfs/gvfsd-* rpx, - /usr/{lib,libexec}/gvfsd-* rpx, + @{libexec}/gvfsd-* rpx, /usr/share/gvfs/{,**} r, diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index 7a67acee6..7acf84de6 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd-admin -@{exec_path} += /usr/{lib,libexec}/gvfsd-admin +@{exec_path} += @{libexec}/gvfsd-admin profile gvfsd-admin @{exec_path} { include diff --git a/apparmor.d/groups/gvfs/gvfsd-afc b/apparmor.d/groups/gvfs/gvfsd-afc index 624c062d9..ef6cdf89d 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afc +++ b/apparmor.d/groups/gvfs/gvfsd-afc @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd-afc -@{exec_path} += /usr/{lib,libexec}/gvfsd-afc +@{exec_path} += @{libexec}/gvfsd-afc profile gvfsd-afc @{exec_path} { include diff --git a/apparmor.d/groups/gvfs/gvfsd-afp b/apparmor.d/groups/gvfs/gvfsd-afp index d1a29b240..04f1ed0d6 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp +++ b/apparmor.d/groups/gvfs/gvfsd-afp @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd-afp -@{exec_path} += /usr/{lib,libexec}/gvfsd-afp +@{exec_path} += @{libexec}/gvfsd-afp profile gvfsd-afp @{exec_path} { include diff --git a/apparmor.d/groups/gvfs/gvfsd-afp-browse b/apparmor.d/groups/gvfs/gvfsd-afp-browse index b114de57a..55d4fa01e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp-browse +++ b/apparmor.d/groups/gvfs/gvfsd-afp-browse @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd-afp-browse -@{exec_path} += /usr/{lib,libexec}/gvfsd-afp-browse +@{exec_path} += @{libexec}/gvfsd-afp-browse profile gvfsd-afp-browse @{exec_path} { include diff --git a/apparmor.d/groups/gvfs/gvfsd-archive b/apparmor.d/groups/gvfs/gvfsd-archive index e39fe21ff..ed9b3aa23 100644 --- a/apparmor.d/groups/gvfs/gvfsd-archive +++ b/apparmor.d/groups/gvfs/gvfsd-archive @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd-archive -@{exec_path} += /usr/{lib,libexec}/gvfsd-archive +@{exec_path} += @{libexec}/gvfsd-archive profile gvfsd-archive @{exec_path} { include include diff --git a/apparmor.d/groups/gvfs/gvfsd-burn b/apparmor.d/groups/gvfs/gvfsd-burn index bdff2011e..1fad9c8c2 100644 --- a/apparmor.d/groups/gvfs/gvfsd-burn +++ b/apparmor.d/groups/gvfs/gvfsd-burn @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd-burn -@{exec_path} += /usr/{lib,libexec}/gvfsd-burn +@{exec_path} += @{libexec}/gvfsd-burn profile gvfsd-burn @{exec_path} { include diff --git a/apparmor.d/groups/gvfs/gvfsd-cdda b/apparmor.d/groups/gvfs/gvfsd-cdda index 3a592ac21..be789e8bb 100644 --- a/apparmor.d/groups/gvfs/gvfsd-cdda +++ b/apparmor.d/groups/gvfs/gvfsd-cdda @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd-cdda -@{exec_path} += /usr/{lib,libexec}/gvfsd-cdda +@{exec_path} += @{libexec}/gvfsd-cdda profile gvfsd-cdda @{exec_path} { include diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index 6e685bb46..705884110 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd-computer -@{exec_path} += /usr/{lib,libexec}/gvfsd-computer +@{exec_path} += @{libexec}/gvfsd-computer profile gvfsd-computer @{exec_path} { include diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index 9fa66bc3f..45275d6ba 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd-dav -@{exec_path} += /usr/{lib,libexec}/gvfsd-dav +@{exec_path} += @{libexec}/gvfsd-dav profile gvfsd-dav @{exec_path} { include include diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index ff13e4412..2e9861c10 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd-dnssd -@{exec_path} += /usr/{lib,libexec}/gvfsd-dnssd +@{exec_path} += @{libexec}/gvfsd-dnssd profile gvfsd-dnssd @{exec_path} { include diff --git a/apparmor.d/groups/gvfs/gvfsd-ftp b/apparmor.d/groups/gvfs/gvfsd-ftp index 348e5069b..955012d9f 100644 --- a/apparmor.d/groups/gvfs/gvfsd-ftp +++ b/apparmor.d/groups/gvfs/gvfsd-ftp @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd-ftp -@{exec_path} += /usr/{lib,libexec}/gvfsd-ftp +@{exec_path} += @{libexec}/gvfsd-ftp profile gvfsd-ftp @{exec_path} { include include diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 60f419683..00e52aba7 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -7,8 +7,10 @@ abi , include +# DENIED operation="mount" info="failed mntpnt match" error=-13 profile="gvfsd-fuse" name="/home/alex/.cache/gvfs/" comm="gvfsd-fuse" fstype="fuse.gvfsd-fuse" srcname="gvfsd-fuse" flags="rw, nosuid, nodev" + @{exec_path} = /{usr/,}lib/gvfs/gvfsd-fuse -@{exec_path} += /usr/{lib,libexec}/gvfsd-fuse +@{exec_path} += @{libexec}/gvfsd-fuse profile gvfsd-fuse @{exec_path} { include diff --git a/apparmor.d/groups/gvfs/gvfsd-google b/apparmor.d/groups/gvfs/gvfsd-google index 0da9033f7..6f62148d5 100644 --- a/apparmor.d/groups/gvfs/gvfsd-google +++ b/apparmor.d/groups/gvfs/gvfsd-google @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd-google -@{exec_path} += /usr/{lib,libexec}/gvfsd-google +@{exec_path} += @{libexec}/gvfsd-google profile gvfsd-google @{exec_path} { include diff --git a/apparmor.d/groups/gvfs/gvfsd-gphoto2 b/apparmor.d/groups/gvfs/gvfsd-gphoto2 index c22aa2732..aa07ff778 100644 --- a/apparmor.d/groups/gvfs/gvfsd-gphoto2 +++ b/apparmor.d/groups/gvfs/gvfsd-gphoto2 @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd-gphoto2 -@{exec_path} += /usr/{lib,libexec}/gvfsd-gphoto2 +@{exec_path} += @{libexec}/gvfsd-gphoto2 profile gvfsd-gphoto2 @{exec_path} { include diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 428265256..f4717cef3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd-http -@{exec_path} += /usr/{lib,libexec}/gvfsd-http +@{exec_path} += @{libexec}/gvfsd-http profile gvfsd-http @{exec_path} { include include diff --git a/apparmor.d/groups/gvfs/gvfsd-localtest b/apparmor.d/groups/gvfs/gvfsd-localtest index fb7dd151d..b2e025ce4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-localtest +++ b/apparmor.d/groups/gvfs/gvfsd-localtest @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd-localtest -@{exec_path} += /usr/{lib,libexec}/gvfsd-localtest +@{exec_path} += @{libexec}/gvfsd-localtest profile gvfsd-localtest @{exec_path} { include diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index eb8a9e462..0c97fe46f 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd-metadata -@{exec_path} += /usr/{lib,libexec}/gvfsd-metadata +@{exec_path} += @{libexec}/gvfsd-metadata profile gvfsd-metadata @{exec_path} { include include diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index f92698ab2..2d0731826 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd-mtp -@{exec_path} += /usr/{lib,libexec}/gvfsd-mtp +@{exec_path} += @{libexec}/gvfsd-mtp profile gvfsd-mtp @{exec_path} { include include diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 6143c9605..bb5e366ab 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd-network -@{exec_path} += /usr/{lib,libexec}/gvfsd-network +@{exec_path} += @{libexec}/gvfsd-network profile gvfsd-network @{exec_path} { include diff --git a/apparmor.d/groups/gvfs/gvfsd-nfs b/apparmor.d/groups/gvfs/gvfsd-nfs index e6f48a993..c3f1a04e9 100644 --- a/apparmor.d/groups/gvfs/gvfsd-nfs +++ b/apparmor.d/groups/gvfs/gvfsd-nfs @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd-nfs -@{exec_path} += /usr/{lib,libexec}/gvfsd-nfs +@{exec_path} += @{libexec}/gvfsd-nfs profile gvfsd-nfs @{exec_path} { include include diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 6de5e0544..5dd4c5e6a 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd-recent -@{exec_path} += /usr/{lib,libexec}/gvfsd-recent +@{exec_path} += @{libexec}/gvfsd-recent profile gvfsd-recent @{exec_path} { include include diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index 62d6d026c..776a3cfc9 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd-sftp -@{exec_path} += /usr/{lib,libexec}/gvfsd-sftp +@{exec_path} += @{libexec}/gvfsd-sftp profile gvfsd-sftp @{exec_path} { include include diff --git a/apparmor.d/groups/gvfs/gvfsd-smb b/apparmor.d/groups/gvfs/gvfsd-smb index 5d41c78e0..3010e1c28 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb +++ b/apparmor.d/groups/gvfs/gvfsd-smb @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd-smb -@{exec_path} += /usr/{lib,libexec}/gvfsd-smb +@{exec_path} += @{libexec}/gvfsd-smb profile gvfsd-smb @{exec_path} { include include diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index 67f25c74a..3549a8dc1 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd-smb-browse -@{exec_path} += /usr/{lib,libexec}/gvfsd-smb-browse +@{exec_path} += @{libexec}/gvfsd-smb-browse profile gvfsd-smb-browse @{exec_path} { include include diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 87e8e2327..a5246ce68 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}lib/gvfs/gvfsd-trash -@{exec_path} += /usr/{lib,libexec}/gvfsd-trash +@{exec_path} += @{libexec}/gvfsd-trash profile gvfsd-trash @{exec_path} { include include diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 2e2246e8b..7869ad464 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -26,7 +26,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected complain) { /{usr/,}bin/* r, /{usr/,}sbin/* r, - /usr/{lib,libexec}/** r, + @{libexec}/** r, /etc/systemd/coredump.conf r, diff --git a/apparmor.d/profiles-a-l/gparted b/apparmor.d/profiles-a-l/gparted index dc7824288..c90ef474e 100644 --- a/apparmor.d/profiles-a-l/gparted +++ b/apparmor.d/profiles-a-l/gparted @@ -26,7 +26,7 @@ profile gparted @{exec_path} { /{usr/,}bin/gawk rix, /{usr/,}lib/udisks2/udisks2-inhibit rix, - /usr/{lib,libexec}/udisks2/udisks2-inhibit rix, + @{libexec}/udisks2/udisks2-inhibit rix, @{run}/udev/rules.d/ rw, @{run}/udev/rules.d/90-udisks-inhibit.rules rw, diff --git a/apparmor.d/profiles-a-l/labwc b/apparmor.d/profiles-a-l/labwc index f08b50e91..50ab18f0e 100644 --- a/apparmor.d/profiles-a-l/labwc +++ b/apparmor.d/profiles-a-l/labwc @@ -29,7 +29,7 @@ profile labwc @{exec_path} flags=(attach_disconnected) { # Apps allowed to run /{usr/,}{s,}bin/* rPUx, /{usr/,}bin/* rPUx, - /usr/{lib,libexec}/* rPUx, + @{libexec}/* rPUx, owner @{user_config_dirs}/labwc/ r, owner @{user_config_dirs}/labwc/* r, diff --git a/apparmor.d/profiles-a-l/lightdm b/apparmor.d/profiles-a-l/lightdm index 5da3f7787..7cc35ffbe 100644 --- a/apparmor.d/profiles-a-l/lightdm +++ b/apparmor.d/profiles-a-l/lightdm @@ -116,7 +116,7 @@ profile lightdm @{exec_path} { /var/cache/lightdm/dmrc/*.dmrc* rw, /{usr/,}lib/at-spi2-core/at-spi-bus-launcher rPUx, - /usr/{lib,libexec}/at-spi-bus-launcher rPUx, + @{libexec}/at-spi-bus-launcher rPUx, include if exists } diff --git a/apparmor.d/profiles-a-l/lightdm-gtk-greeter b/apparmor.d/profiles-a-l/lightdm-gtk-greeter index 476afcc75..acb27d8c2 100644 --- a/apparmor.d/profiles-a-l/lightdm-gtk-greeter +++ b/apparmor.d/profiles-a-l/lightdm-gtk-greeter @@ -51,7 +51,7 @@ profile lightdm-gtk-greeter @{exec_path} { @{HOME}/.face r, /{usr/,}lib/at-spi2-core/at-spi-bus-launcher rPUx, - /usr/{lib,libexec}/at-spi-bus-launcher rPUx, + @{libexec}/at-spi-bus-launcher rPUx, profile systemd { diff --git a/apparmor.d/profiles-m-z/mission-control b/apparmor.d/profiles-m-z/mission-control index 27728de32..1e528126b 100644 --- a/apparmor.d/profiles-m-z/mission-control +++ b/apparmor.d/profiles-m-z/mission-control @@ -14,7 +14,7 @@ profile mission-control @{exec_path} { network netlink raw, @{exec_path} mr, - /usr/{lib,libexec}/* rPUx, # FIXME: Needed ? + @{libexec}/* rPUx, # FIXME: Needed ? /usr/share/telepathy/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/profiles-m-z/openbox b/apparmor.d/profiles-m-z/openbox index be2117cdd..965908d44 100644 --- a/apparmor.d/profiles-m-z/openbox +++ b/apparmor.d/profiles-m-z/openbox @@ -25,7 +25,7 @@ profile openbox @{exec_path} { /{usr/,}sbin/* rPUx, /{usr/,}bin/* rPUx, /usr/local/bin/* rPUx, - /usr/{lib,libexec}/* rPUx, + @{libexec}/* rPUx, /{usr/,}lib/@{multiarch}/*/** rPUx, /usr/share/themes/*/openbox-3/themerc r, @@ -65,7 +65,7 @@ profile openbox @{exec_path} { /{usr/,}sbin/* rPUx, /{usr/,}bin/* rPUx, /usr/local/bin/* rPUx, - /usr/{lib,libexec}/* rPUx, + @{libexec}/* rPUx, /{usr/,}lib/@{multiarch}/*/** rPUx, /usr/local/lib/python*/dist-packages/ r, diff --git a/apparmor.d/profiles-m-z/rtkit-daemon b/apparmor.d/profiles-m-z/rtkit-daemon index 7ae686bfc..4b4c16890 100644 --- a/apparmor.d/profiles-m-z/rtkit-daemon +++ b/apparmor.d/profiles-m-z/rtkit-daemon @@ -8,7 +8,7 @@ abi , include -@{exec_path} = /usr/{lib,libexec}/rtkit-daemon +@{exec_path} = @{libexec}/rtkit-daemon profile rtkit-daemon @{exec_path} { include include diff --git a/apparmor.d/profiles-m-z/udisksd b/apparmor.d/profiles-m-z/udisksd index 6f07181da..8301782b5 100644 --- a/apparmor.d/profiles-m-z/udisksd +++ b/apparmor.d/profiles-m-z/udisksd @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/udisks2/udisksd -@{exec_path} += /usr/{lib,libexec}/udisks2/udisksd +@{exec_path} += @{libexec}/udisks2/udisksd profile udisksd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-m-z/upowerd b/apparmor.d/profiles-m-z/upowerd index 73f119d3c..11873361f 100644 --- a/apparmor.d/profiles-m-z/upowerd +++ b/apparmor.d/profiles-m-z/upowerd @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/upower/upowerd -@{exec_path} += /usr/{lib,libexec}/upowerd +@{exec_path} += @{libexec}/upowerd profile upowerd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/tunables/xdg-user-dirs.d/complete b/apparmor.d/tunables/xdg-user-dirs.d/complete index 56a7342c6..10c547937 100644 --- a/apparmor.d/tunables/xdg-user-dirs.d/complete +++ b/apparmor.d/tunables/xdg-user-dirs.d/complete @@ -23,6 +23,9 @@ # Common mountpoints @{MOUNTS}=/media/ @{run}/media /mnt +# Libexec path. Different in some distribution +@{libexec}=/usr/lib + # Extra user personal directories @{XDG_PROJECTS_DIR}="Projects" @{XDG_BOOKS_DIR}="Books"