Ubuntu
evince package

karmic evince apparmor profile is too strict -- can't start on clean install

Bug #475675 reported by Roland Dreier
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
evince (Ubuntu)
Invalid
Low
Ubuntu Desktop Bugs

Bug Description

Binary package hint: evince

I have a fairly fresh karmic install (originally around alpha5, updated to the latest), and with a clean new home directory, evince won't start... it shows:

    (evince:23877): EvinceDocument-WARNING **: Failed to create directory /users/rdreier/.gnome2/evince: Permission denied

and exits, and the kernel log has:

    [73533.671209] type=1503 audit(1257445052.499:91): operation="mkdir" pid=23771 parent=11875 profile="/usr/bin/evince" requested_mask="w::" denied_mask="w::" fsuid=33217 ouid=33217 name="/users/rdreier/.gnome2/evince/"

This is because .gnome2/evince is created by evince on the first run by a user. I can work around this by doing "mkdir ~/.gnome2/evince" but of course someone who doesn't understand the cryptic message is just going to be stuck. So I think the evince profile should be updated to allow creating this directory.

ProblemType: Bug
Architecture: amd64
Date: Thu Nov 5 10:17:40 2009
DistroRelease: Ubuntu 9.10
Package: evince 2.28.1-0ubuntu1
ProcEnviron:
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-14.48-generic
SourcePackage: evince
Uname: Linux 2.6.31-14-generic x86_64

Revision history for this message
Roland Dreier (roland.dreier) wrote :
Revision history for this message
Roland Dreier (roland.dreier) wrote :

By the way, even after creating ~/.gnome2/evince, apparmor is still breaking a few more minor things with evince... it works and is able to view documents, but:

[73811.496586] type=1503 audit(1257445330.292:94): operation="open" pid=23890 parent=11875 profile="/usr/bin/evince" requested_mask="r::" denied_mask="r::" fsuid=33217 ouid=33217 name="/users/rdreier/.ICEauthority"
[73811.566182] type=1503 audit(1257445330.362:95): operation="open" pid=23890 parent=11875 profile="/usr/bin/evince" requested_mask="r::" denied_mask="r::" fsuid=33217 ouid=33217 name="/users/rdreier/.recently-used.xbel"
[73811.609963] type=1503 audit(1257445330.401:96): operation="mknod" pid=23890 parent=11875 profile="/usr/bin/evince" requested_mask="w::" denied_mask="w::" fsuid=33217 ouid=33217 name="/users/rdreier/.gnome2/evince/evince-crashed.95T02U"

which lead to:

(evince:23905): EggSMClient-WARNING **: Failed to connect to the session manager: None of the authentication protocols specified are supported

(evince:23905): Gtk-WARNING **: Attempting to read the recently used resources file at `/users/rdreier/.recently-used.xbel', but the parser failed: Failed to open file '/users/rdreier/.recently-used.xbel': Permission denied.

** (evince:23905): WARNING **: Failed to create file '/users/rdreier/.gnome2/evince/evince-crashed.Z2S72U': Permission denied

Revision history for this message
Sebastien Bacher (seb128) wrote :

Thanks for the bug report. This particular bug has already been reported, but feel free to report any other bugs you find.

Changed in evince (Ubuntu):
assignee: nobody → Ubuntu Desktop Bugs (desktop-bugs)
importance: Undecided → Low
status: New → Invalid
Revision history for this message
Roland Dreier (roland.dreier) wrote :

Is this really a dupe of bug #447292 (which is "AppArmor does not allow access when @{HOME} is not /home")? This bug is reporting some problems with the evince apparmor profile, since it forbids some actions that evince legitimately wants to do (access recent files, connect to session management). And this can't be fixed by adjusting apparmor tunables to deal with a different home directory location -- it happens even with a totally standard /home/user directory. Furthermore, it's not even a bug in apparmor -- it's a problem with the apparmor files shipped in the evince package.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Roland, based on the information in the attached kern.log, the home directory is /users/rdreier/.ICEauthority. Therefore /etc/apparmor.d/tunables/home needs to be adjusted. This is the same problem as in bug #447292. While evince is affected, it is actually a defefiency in the apparmor package and/or tools that /etc/apparmor.d/tunables/home is not adjusted in some way on upgrades.

Revision history for this message
Roland Dreier (roland.dreier) wrote :

Duh, my fault... I forgot that this system has a different configuration and was completely blind. Sorry for the noise.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.