Comment 5 for bug 501822

The firefox AppArmor profile is supposed to be opt-in and disabled by default. Users are supposed to explicitly enable the profile for it to be used, as mentioned in https://wiki.ubuntu.com/KarmicKoala/TechnicalOverview#New%20profiles. There was a bug in the packaging during the development cycle for 9.10 for people using daily builds or using firefox-3.5 on 9.04 and upgrading to 9.10. I'm somewhat concerned that the profile was enabled without you specifically enabling it, but if you hit the above bug or another admin enabled the profile, then that would explain it and I'm sorry for the inconvenience.

One of the reasons the profile is disabled by default is because of the issues discussed here, and also because the profile is still in development (though still quite useful for many users). Realplayer not working is simply a profile bug. /usr/local/lib is a different matter, and I would tend to agree with Micah's comment. That said, profiles are not only supposed to work in the default installation, but all common configurations. If there are 3rd party plugins that install to /usr/local, then this should be supported as well.

An AppArmor profile is intended to confine an application to a specific set of actions to proactively protect against flaws in the software it is trying to protect. Firefox is an extremely attractive target for attackers with 50+ CVEs in the software in 2009 alone, and having an AppArmor profile available for people to use is very important. IMO, too much autoconfiguration of the profile (ie, via ld.so.conf or other methods) makes it difficult to understand the profile and why it is working (or not working) the way it does, though we could probably just add /usr/local/lib to the profile.