permission denied: /usr/bin/{mktexpk,mktextfm}

Bug #1010909 reported by Leander Jedamus on 2012-06-09
50
This bug affects 10 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Medium
Unassigned

Bug Description

[impact]

This bug prevents viewing dvi files with evince while confined by
apparmor.

[steps to reproduce]

1) install evince, ensure evince apparmor policy is enabled
2) view a dvi with evince
3) with the fix applied, evince should be able to display the dvi
document and should not generate apparmor rejections in syslog

[regression potential]

The change in the patch for this bug is a loosening of the apparmor
policy for the sanitized helpers of evince. The risk of an introduced
regression is small.

[original description]

1) lsb_release -rd
Description: Ubuntu Vivid Vervet (development branch)
Release: 15.04

2) apt-cache policy evince apparmor texlive
evince:
  Installed: 3.14.1-0ubuntu1
  Candidate: 3.14.1-0ubuntu1
  Version table:
 *** 3.14.1-0ubuntu1 0
        500 http://us.archive.ubuntu.com/ubuntu/ vivid/main amd64 Packages
        100 /var/lib/dpkg/status
apparmor:
  Installed: 2.8.98-0ubuntu4
  Candidate: 2.8.98-0ubuntu4
  Version table:
 *** 2.8.98-0ubuntu4 0
        500 http://us.archive.ubuntu.com/ubuntu/ vivid/main amd64 Packages
        100 /var/lib/dpkg/status
texlive:
  Installed: 2014.20141024-1ubuntu1
  Candidate: 2014.20141024-1ubuntu1
  Version table:
 *** 2014.20141024-1ubuntu1 0
        500 http://us.archive.ubuntu.com/ubuntu/ vivid/main amd64 Packages
        100 /var/lib/dpkg/status

3) What is expected to happen is when one attempts to open https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/1010909/+attachment/4282336/+files/example.dvi it does so successfully.

4) What happens instead is it hangs indefinitely, as per output of running evince via a terminal https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/1010909/+attachment/4282345/+files/error.txt . This would appear to be due to apparmor as per:
https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/1010909/+attachment/4282344/+files/kern.log

However, attempting to disable the offending profile fails:
sudo aa-complain /usr/bin/evince//sanitized_helper
/usr/bin/evince//sanitized_helper does not exist, please double-check the path.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: texlive-binaries 2009-11ubuntu2
ProcVersionSignature: Ubuntu 3.2.0-24.39-generic 3.2.16
Uname: Linux 3.2.0-24-generic x86_64
ApportVersion: 2.0.1-0ubuntu8
Architecture: amd64
Date: Sat Jun 9 17:05:03 2012
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
ProcEnviron:
 TERM=xterm
 PATH=(custom, user)
 LANG=de_DE.UTF-8
 SHELL=/bin/zsh
SourcePackage: texlive-bin
UpgradeStatus: No upgrade log present (probably fresh install)

Leander Jedamus (ljedamus-o) wrote :
Leander Jedamus (ljedamus-o) wrote :

ah, I should've said that it the output is from evince.
Second: This does not happen under Ubuntu 10.04.

b3nmore (b3nmore) wrote :

Did you install the "texlive-fonts-recommended"-package. If not install it and try again.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in texlive-bin (Ubuntu):
status: New → Confirmed
Kyungwon Chun (kwchun) wrote :

I have the same problem even after installation of texlive-fonts-recommended package. I should execute all 'mktexpk' commands in the error messages with 'sudo' to see the correct fonts on evince.

Jonas Grote (jfgrote+launchpad) wrote :

Kyungwon Chun: That does it for me, too. Thanks for sharing.

Reuben Thomas (rrt) wrote :

(The suggestion of running the commands with sudo is a workaround, but it's not a fix; meanwhile, the bug continues to exist in at least quantal.)

Reuben Thomas (rrt) wrote :

This bug appears to be the problem reported here: http://ubuntuforums.org/showthread.php?p=8690020

In short, the problem is that the apparmor profile for evince does not allow the font files to be written.

Unfortunately, the algorithm used by the TeXLive scripts to decide where to write generated font files is complicated. For example, in my case, they seem to be written under

$HOME/texmf/fonts

but I also have files generated in the recent past (perhaps with a previous version of TeXLive?) under $HOME/.texmf-var/fonts

and there are other possibilities, I believe. Hence, finding a solution that is both secure and reliable requires input from a TeXpert.

For the moment I have simply disabled Evince's apparmor profile.

Hi

On So, 13 Jan 2013, Reuben Thomas wrote:
> In short, the problem is that the apparmor profile for evince does not
> allow the font files to be written.

As Debian maintainer of the package I cannot comment on what Ubuntu is
doing specially here.

> Unfortunately, the algorithm used by the TeXLive scripts to decide where
> to write generated font files is complicated. For example, in my case,
> they seem to be written under
>
> $HOME/texmf/fonts

Which is strange and can only be explained by your local adaptions.
On my computer it still installs into $TEXMFVAR = ~/.texmf-var

The respective files are:
 /etc/texmf/web2c/mktex.cnf
which by default contains
 : ${MT_FEATURES=appendonlydir:texmfvar}
which means that fonts are created in $TEXMFVAR

> and there are other possibilities, I believe. Hence, finding a solution
> that is both secure and reliable requires input from a TeXpert.
>
> For the moment I have simply disabled Evince's apparmor profile.

That is Ubuntu's problem, since I don't have any idea what AppArmor
is doing or prohibiting or messing up.

Norbert

------------------------------------------------------------------------
PREINING, Norbert http://www.preining.info
JAIST, Japan TeX Live & Debian Developer
DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094
------------------------------------------------------------------------

I have this output on my log:

SYS: Mar 13 23:26:26 RRyS kernel: [10244.979893] type=1400 audit(1363213586.384:1012): apparmor="DENIED" operation="exec" parent=5420 profile="/usr/bin/evince//sanitized_helper" name="/usr/share/texlive/texmf/web2c/mktexupd" pid=5447 comm="mktexpk" requested_mask="x" denied_mask="x" fsuid=1153 ouid=0

could someone post here the command to disable the apparmor profile that makes this, as a temporary workaround? Thanks!

Sam Yates (sam-quux) wrote :

Just got bitten by this!

My workaround/possible fix: applied the following diff to /etc/apparmor.d/abstractions/ubuntu-helpers

===================================================================
RCS file: ubuntu-helpers,v
retrieving revision 1.1
diff -u -r1.1 ubuntu-helpers
--- ubuntu-helpers 2013/06/17 09:16:44 1.1
+++ ubuntu-helpers 2013/06/17 09:17:53
@@ -49,6 +49,9 @@
   # Allow exec of libexec applications in /usr/lib* and /usr/local/lib*
   /usr/{,local/}lib*/{,**/}* Pixr,

+ # Allow texlive font build scripts etc.
+ /usr/share/texlive/texmf/web2c/{,**}/* Pixr,
+
   # Allow exec of software-center scripts. We may need to allow wider
   # permissions for /usr/share, but for now just do this. (LP: #972367)
   /usr/share/software-center/* Pixr,

tags: added: regression-release
tags: added: regression-potential vivid
removed: regression-release
description: updated

Sending to apparmor as root cause would appear to be too restrictive profile. Please re-assign if this would be incorrect.

Changed in texlive-bin (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Triaged
affects: texlive-bin (Ubuntu) → apparmor (Ubuntu)
Steve Beattie (sbeattie) wrote :

This will be fixed in wily with apparmor 2.9.2-0ubuntu1. Attached is a patch for this issue as part of a trusty SRU.

description: updated

The attachment "profiles-texlive_font_generation-lp1010909.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.9.2-0ubuntu1

---------------
apparmor (2.9.2-0ubuntu1) wily; urgency=medium

  * Update to apparmor 2.9.2
    - Fix minitools to work with multiple profiles at once (LP: #1378095)
    - Parse mounts that have non-ascii UTF-8 chars (LP: #1310598)
    - Update dovecot profiles (LP: #1296667)
    - Allow ubuntu-helpers to build texlive fonts (LP: #1010909)
  * dropped patches incorporated upstream:
    add-mir-abstraction-lp1422521.patch, systemd-dev-log-lp1413232.patch
    parser-fix_modifier_compilation_+_tests.patch,
    tests-fix_systemd_breakage_in_pivot_root-lp1436109.patch,
    GDM_X_authority-lp1432126.patch, and
    debian/patches/easyprof-framework-policy.patch
  * Partial merge with debian apparmor package:
    - debian/rules: enable the bindnow hardening flag during build.
    - debian/upstream/signing-key.asc: add new upstream public
      signing key
    - debian/watch: fix watch file, add gpg signature checking
    - install libapparmor.so dev symlink under /usr not /lib
    - debian/patches/reproducible-pdf.patch: make techdoc.pdf
      reproducible even in face of timezone variations.
    - debian/control: sync fields
    - debian/debhelper/postrm-apparmor: remove
      /etc/apparmor.d/{disable,} on package purge
    - debian/libapache2-mod-apparmor.postrm: on package purge, delete
      /etc/apparmor.d/{,disable} if empty
    - debian/libapparmor1.symbols: Use Build-Depends-Package in the
      symbols file.
    - debian/copyright: sync

 -- Steve Beattie <email address hidden> Mon, 11 May 2015 22:03:04 -0700

Changed in apparmor (Ubuntu):
status: Triaged → Fix Released
Steve Beattie (sbeattie) wrote :

I have reproduced the failures on generating fonts with evince on a dvi file and apparmor 2.8.95~2430-0ubuntu5.1 and can confirm that apparmor 2.8.95~2430-0ubuntu5.2 addresses the issue. Marking verification-done.

tags: added: verification-done

The verification of the Stable Release Update for apparmor has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Michisteiner (michisteiner) wrote :

This fix is already a few months old but still not pushed to Vivid (which still has buggy 2.9.1). Did the vivid update fall between the cracks or are there no plans to fix vivid?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers