- Package:
- thunderbird
- Source:
- thunderbird
- Description:
- mail/news client with RSS, chat and integrated spam filter support
- Submitter:
- Stephen Dowdy
- Date:
- 2026-06-22 20:45:05 UTC
- Severity:
- minor
Attempting to send e-mail results in a popup:
[ Send Message Error ]
Sending of the message failed.
# aa-status --enabled && echo "AppArmor Enabled"
AppArmor Enabled
# aa-status | egrep '(profiles|thunderbird)'
54 profiles are loaded.
21 profiles are in enforce mode.
thunderbird
thunderbird//browser_java
thunderbird//browser_openjdk
thunderbird//gpg
thunderbird//sanitized_helper
33 profiles are in complain mode.
6 processes have profiles defined.
thunderbird (32689)
dmesg shows the following apparmor DENIED messages:
[62711.954571] audit: type=1400 audit(1527437094.186:58): apparmor="DENIED" operation="open" profile="thunderbird" name="/run/user/1000/xauth-1000-_0" pid=32700 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[62711.960341] audit: type=1400 audit(1527437094.194:59): apparmor="DENIED" operation="open" profile="thunderbird" name="/run/user/1000/xauth-1000-_0" pid=32689 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[62711.971343] audit: type=1400 audit(1527437094.202:60): apparmor="DENIED" operation="mkdir" profile="thunderbird" name="/run/user/1000/thunderbird_sdowdy/" pid=32689 comm="thunderbird" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[62711.971925] audit: type=1400 audit(1527437094.206:61): apparmor="DENIED" operation="open" profile="thunderbird" name="/run/user/1000/xauth-1000-_0" pid=32689 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[62712.747197] audit: type=1400 audit(1527437094.978:62): apparmor="DENIED" operation="open" profile="thunderbird" name="/run/user/1000/xauth-1000-_0" pid=32689 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[62712.895221] audit: type=1400 audit(1527437095.126:63): apparmor="DENIED" operation="open" profile="thunderbird" name="/etc/xdg/mimeapps.list" pid=32689 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[63310.628483] audit: type=1400 audit(1527437692.863:64): apparmor="DENIED" operation="mknod" profile="thunderbird" name="/run/user/1000/nsemail.eml" pid=32689 comm="thunderbird" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[63310.671468] audit: type=1400 audit(1527437692.907:65): apparmor="DENIED" operation="open" profile="thunderbird" name="/run/user/1000/xauth-1000-_0" pid=32689 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
$ env | grep /run/user
TMPDIR=/run/user/1000/
GPG_AGENT_INFO=/run/user/1000/gnupg/S.gpg-agent:0:1
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
XDG_RUNTIME_DIR=/run/user/1000
XAUTHORITY=/run/user/1000/xauth-1000-_0
I suspect because i explicitly set TMPDIR to XDG_RUNTIME_DIR (something that should be pretty normal, even better than using /tmp, IMHO), that AppArmor should allow for this.
(i'm not entirely sure that's the issue, but it seems likely)
Also, for general purposes...
I did choose to allow/use maintainer's version of AppArmor configuration in the recent update, however, i think you should respect the existing enforce/complain/disable state of the user's system, as i'd previously done:
aa-complain /etc/apparmor.d/usr.bin.thunderbird
(which i am back to now in order to keep working)
thanks,
--stephen
Hello intri, hello Vincas, this looks like something you guys should have a look at please. Thanks! @intrigeri The uploads of TB 52.8.0 to stretch- and jessie-security did have cherry-picked your reverted commit c33dba2f from unstable so the issue of the user are not related to this modification I guess. Am 27.05.2018 um 18:54 schrieb Stephen Dowdy:
I'll take a look into this.
I've reproduced it. This is yet another sign how we need use more variables in AppArmor, and it needs to be fixed not only for Thunderbird, as $TMPDIR change will affect other confined applications too. I'll continue discussion in AppArmor mailing list to see how to approach it better. P.S. Also, waiting for AppArmor 2.13 in Debian ;)
(Retitling to clarify which condition is needed to trigger the bug, downgrading severity as this AppArmor profile is disabled by default.)
Helllo,
Stephen, while we are discussing this, I'd like to give you an easy
workaround:
Edit /etc/apparmor.d/tunables/alias and add this line:
alias /tmp/ -> /run/user/1000/,
This will (additionally) allow /run/user/1000/ whenever a profile says
/tmp/
If you need a solution that works for all users (and is a bit less
strict because it only enforces that the directory name has to start
with a digit)
alias /tmp/ -> /run/user/[0-9]*/,
After adding the alias, reload all AppArmor profiles.
The alias will "fix" all profiles, not only the thunderbird profile.
Regards,
Christian Boltz
PS: Can someone who knows the Debian bugtracker better please tag this
bug so that we get notifications on pkg-apparmor?
Somehow i missed this earlier...
I had to revisit this, because
# grep apparmor /var/log/dpkg.log
2018-11-16 07:21:25 conffile /etc/apparmor.d/usr.bin.thunderbird install
re-broke things. (sigh, my workplace daily notices were throwing more apparmor="DENIED" traps and leaving my message-pane blank.
(would be nice if there was a tool for the desktop to issue notifications in these cases. maybe there is, but my lack of searching for it has amazingly not revealed it! ;))
Seems that the latest thunderbird update should honor the aa-complain status of my system.
Looking at : /var/lib/dpkg/info/thunderbird.postinst
I see some logic that looks like i should be using a "disable" link. That seems like it would be different, however, than just setting it to 'complain' mode.
(I don't mind having it complaining and logging, but it's a lot more unfriendly to just disable it on my part, or to re-enable enforcing when i am in complain mode)
I dunno if i should file a bug report on that :-/ (i see that this bug is still in 'thunderbird', and the apparmor file is dpkg-owned by thunderbird, so maybe just consider this comment a bug report addition)
Anyway, i implemented your workaround. I may test it out with aa-enabled again at some point just to make sure it's working.
thanks,
--stephen
Hello,
Am Dienstag, 20. November 2018, 17:46:27 CET schrieb Stephen Dowdy:
You are probably looking for
sudo /usr/sbin/aa-notify -p --display $DISPLAY -w 10
(no idea if /var/log/audit/audit.log is readable for users on Debian -
if it is, you can run aa-notify without sudo)
Right, disable and compain mode are different.
The "disable" symlinks will completely disable the profile (it will
prevent loading it), which means running Thunderbird unconfined.
Complain mode means to load the profile, allow everything [1], and log
things that would be denied.
Typically complain mode gets set by adding flags=(complain) to the
profile. There's an alternative solution - you can create a symlink in
/etc/apparmor.d/force-complain/ . While a force-complain symlink makes
things easier for package management, there's a known issue: the binary
profile cache won't be used for those profiles, so loading the profiles
on startup is slower.
If the file belongs to Thunderbird, the bugreport also belongs there ;-)
(and there are enough AppArmor people in CC)
Regards,
Christian Boltz
[1] There's one exception: explicit "deny" rules will be enforced even
in complain mode.
We believe that the bug you reported is fixed in the latest version of
thunderbird, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 900210@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Carsten Schoenert <c.schoenert@t-online.de> (supplier of updated thunderbird package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 22 Jun 2026 21:41:06 +0200
Source: thunderbird
Architecture: source
Version: 1:152.0-1
Distribution: experimental
Urgency: medium
Maintainer: Carsten Schoenert <c.schoenert@t-online.de>
Changed-By: Carsten Schoenert <c.schoenert@t-online.de>
Closes: 880424 882218 883245 900210 909281 914403 917613 928178 949450 949649 955380 961269 1127710 1128672 1128876 1138513
Changes:
thunderbird (1:152.0-1) experimental; urgency=medium
.
[ Carsten Schoenert ]
* [5097e09] d/control: Bump B-D for libnss3-dev
* [5350030] New upstream version 152.0
(Closes: #1138513)
* [92962df] Rebuild patch queue from patch-queue branch
Removed patch (included upstream):
fixes/Fix-conflicting-types-for-once_flag-and-call_once-with-gl.patch
fixes/Fix-math_private.h-for-i386-FTBFS.patch
fixes/Fix-sandbox-to-build-with-glibc-2.43.patch
* [46de392] d/mozconfig.default: Remove option --enable-av1
.
[ Christoph Goehre ]
* [5308430] rebuild patch queue from patch-queue branch (Closes: #1128876)
.
[ intrigeri ]
* [77d16c3] Don't install AppArmor policy anymore
(Closes: #1128672, #1127710, #928178, #909281, #955380, #882218, #900210,
#914403, #917613, #949450, #880424, #883245, #961269, #949649)
Checksums-Sha1:
1e9bca601d3dab684f2c1e34bbd107712eb17f8e 8402 thunderbird_152.0-1.dsc
5ed145d0f72ee7e539f3f0d40cea83ed62b1499f 12403192 thunderbird_152.0.orig-thunderbird-l10n.tar.xz
dbef2f6a94cec7b667931b222bdd6f0aaf9a4810 931861244 thunderbird_152.0.orig.tar.xz
6fc9531bd0e3c27e7908228227a542966eb827f8 537512 thunderbird_152.0-1.debian.tar.xz
41476b21bed4090bcf2c148b0178ef52d0e2f2e7 40158 thunderbird_152.0-1_amd64.buildinfo
Checksums-Sha256:
8d348b506605fc73d56722d5a55ed9dae8af623989312e5c039786edfbe4f0f2 8402 thunderbird_152.0-1.dsc
f4afa9846377239357e485da027035fe53762cc8100ced5cf5abca87fca7a1f8 12403192 thunderbird_152.0.orig-thunderbird-l10n.tar.xz
64f02562f1f4a18e39c67b07255feb5828acde86327f55b1ebe45e3ac63963ea 931861244 thunderbird_152.0.orig.tar.xz
52abff98afbeb3859791f46e5602bbbf6982f38876f7e223d0ff1ac7bb77c778 537512 thunderbird_152.0-1.debian.tar.xz
38ab10bf14449c38f7233f8d883b1a6ffbe412606232763f9bcaa5dcda320c03 40158 thunderbird_152.0-1_amd64.buildinfo
Files:
cddc168c5e8bdb4c051a11b4e56831b8 8402 mail optional thunderbird_152.0-1.dsc
27c69983d0063061996fc52794377743 12403192 mail optional thunderbird_152.0.orig-thunderbird-l10n.tar.xz
f49e9b967f1a1fdceec316060aef4959 931861244 mail optional thunderbird_152.0.orig.tar.xz
d435a5b441fa39456dfa21b01881fdf3 537512 mail optional thunderbird_152.0-1.debian.tar.xz
20c10b422095bf9f1d461c01e152c30e 40158 mail optional thunderbird_152.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtw38bxNP7PwBHmKqgwFgFCUdHbAFAmo5mL4ACgkQgwFgFCUd
HbCPqw/+LEBi5TrBqIfSUOoosSHHufs3R4FzJrZ6vNsK4ur6EVNNhR1u0Gc4VtEG
JIaiGg7fCDf3mgAowEIKSQpVHnqMPKpqZemfIWHNT0exdKp1RXlh9OuwGdOqg0Og
5MWrhKzrDVr7p9LmB7ilQ2V0I+xHx1zh/cG58Ar2Pp9Wn8YDlpIQmO0vp6sX2ex5
GTUYHvVrssW4L/hOAsbMu9YUnGPRiHPvj94JF7XT2JFC6mndXtiqvEOH5Oo1UluK
FcM8Xz1GsANmwB4gR7/g0f06RWEjAsOMXPU98ESaY85kRTJ4VlVvGWOknGa0Sptv
frrEG893xRFXFmnrDR7dLH8Ux1cnsGy5wpNCZeLVViuT6Pv4OIm83jijKqaGHvp3
jdD8OWx7YGbYdm+INBBnff5Y/IEEni7EIuX17/S3ZNqlLYJGPbL6OWG+pMK52+xZ
0dMFXCrSMc+xMMUHBQ/aUw3up5t4B5de51tX9kWTFv3W/qIiLdA+PpH2EGiJJJIF
Jgm9q0sAlXLC2GZW55MTbk2/jhewQOcShIRrEKFJUPzpPgeXZAAN/I47uKAzoUAW
0x/Hb0+b72NKBlK8jurZfKYBDPyxLnHSUcCbVCPj8SyzxcCHBZ12jsVhIEjUwMEH
cyFP/Ep5MDC7yo9XX+Xt4na47jktwLRJ5jRpySaIV9RfhvBHPNQ=
=jjF1
-----END PGP SIGNATURE-----