Evince denied from opening

Bug #1432126 reported by Bruce Pieterse on 2015-03-14
30
This bug affects 6 people
Affects Status Importance Assigned to Milestone
AppArmor
Undecided
Unassigned
Ubuntu GNOME
Undecided
Unassigned
apparmor (Ubuntu)
High
Unassigned

Bug Description

Apparmor is denying evince from running.

It initially started when I tried opening a PDF attachment in Thunderbird. Saving the file to disk and opening via nautilus renders the same result. Trying to just open evince without a file doesn't work as well.

Mar 14 11:10:00 host evince[27787]: <audit-1400> apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/run/user/1000/gdm/Xauthority" pid=27787 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Mar 14 11:10:00 host kernel: audit: type=1400 audit(1426324200.744:33): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/run/user/1000/gdm/Xauthority" pid=27787 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Mar 14 11:10:00 host evince.desktop[27787]: No protocol specified
Mar 14 11:10:00 host evince.desktop[27787]: ** (evince:27787): WARNING **: Could not open X display
Mar 14 11:10:00 host evince[27787]: <audit-1400> apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/run/user/1000/gdm/Xauthority" pid=27787 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: apparmor 2.9.1-0ubuntu7
ProcVersionSignature: Ubuntu 3.19.0-7.7-generic 3.19.0
Uname: Linux 3.19.0-7-generic x86_64
ApportVersion: 2.16.2-0ubuntu3
Architecture: amd64
CurrentDesktop: GNOME
Date: Sat Mar 14 11:07:03 2015
InstallationDate: Installed on 2015-02-08 (33 days ago)
InstallationMedia: Ubuntu-GNOME 15.04 "Vivid Vervet" - Alpha amd64 (20150207)
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-3.19.0-7-generic root=UUID=80974ebe-fd7c-446d-89c5-23bf40b9b915 ro quiet splash
SourcePackage: apparmor
Syslog: Mar 14 00:31:22 tanagra dbus[775]: [system] AppArmor D-Bus mediation is enabled
UpgradeStatus: No upgrade log present (probably fresh install)

Bruce Pieterse (octoquad) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Brandon Pierce (ihashacks) wrote :

I get the feeling this more than just Evince. I think the X profile needs to be updated:

# sudo grep -R Xauthority apparmor.d/*
apparmor.d/abstractions/X: # .Xauthority files required for X connections, per user
apparmor.d/abstractions/X: owner @{HOME}/.Xauthority r,

# dmesg | grep Xauthority | grep -oE 'comm=".*"' | sort | uniq
comm="evince" requested_mask="r" denied_mask="r"
comm="firefox-gtk3" requested_mask="r" denied_mask="r"

Seth Arnold (seth-arnold) wrote :

Brandon, I think you're right; I'm not sure what decided the .Xauthority files needed to move to somewhere else, but there it is, no longer in your home directory.

Try adding the following line to your /etc/apparmor.d/abstractions/X file:

owner /run/user/*/gdm/Xauthority r,

Then sudo apparmor_parser --replace /etc/apparmor.d/

Thanks

Brandon Pierce (ihashacks) wrote :

Seth,

Your fix did work for me. Firefox (GTK3) and Evince worked as expected with the AA change. It appears that GDM is what decided where to put the Xauthority file. If I "dpkg-reconfigure gdm" and switch to LightDM then the Xauthority file appears in $HOME again.

Changed in apparmor:
status: New → Fix Committed
Changed in apparmor (Ubuntu):
importance: Undecided → High
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.9.1-0ubuntu8

---------------
apparmor (2.9.1-0ubuntu8) vivid; urgency=medium

  [ Steve Beattie ]
  * debian/rules: run make check on the libapparmor library
  * add-chromium-browser.patch: add support for chromium policies
    (LP: #1419294)
  * debian/apparmor.{init,upstart}: add support for triggering
    aa-profile-hook runs when packages are updated via snappy system
    image updates (LP: #1434143)
  * parser-fix_modifier_compilation_+_tests.patch: fix compilation
    of audit modifiers for exec and pivot_root and deny modifiers on
    link rules as well as significantly expand related tests
    (LP: #1431717, LP: #1432045, LP: #1433829)
  * tests-fix_systemd_breakage_in_pivot_root-lp1436109.patch: work
    around pivot_root test failures due to init=systemd (LP: #1436109)
  * GDM_X_authority-lp1432126.patch: add location GDM creates Xauthority
    file to X abstraction (LP: #1432126)

  [ Jamie Strandboge ]
  * easyprof-framework-policy.patch: add --include-templates-dir and
    --include-policy-groups-dir options to easyprof to support framework
    policy on snappy

  [ Robie Basak ]
  * Add /lib/apparmor/profile-load; moved from
    /lib/init/apparmor-profile-load from the upstart package. A wrapper at
    the original path is now provided by init-system-helpers. (LP: #1432683)
 -- Jamie Strandboge <email address hidden> Sat, 28 Mar 2015 07:22:30 -0500

Changed in apparmor (Ubuntu):
status: Confirmed → Fix Released
Steve Beattie (sbeattie) wrote :

This was fixed in upstream apparmor in the 2.9.2 release, closing there.

Changed in apparmor:
status: Fix Committed → Fix Released
Andrew Pam (xanni) wrote :

How do I get this fix on Trusty? I'm running apparmor 2.8.95~2430-0ubuntu5.3 with lightdm and thus .Xauthority in my home directory.

Seth Arnold (seth-arnold) wrote :

Andrew, if you're using lightdm then you've got a different bug. Could you open a new bug with ubuntu-bug apparmor and provide a description of the problem you're having and include the relevant DENIED lines from your logs?

Thanks

Andrew Pam (xanni) wrote :

That's OK, I worked out what my issue was (moving /home to another volume) and how to fix it: edit /etc/apparmor.d/tunables/home.d/ubuntu and run apparmor_parser --replace /etc/apparmor.d/

Changed in ubuntu-gnome:
status: New → Fix Released
Jon Schewe (jpschewe) wrote :

I know this was closed quite time time ago, but I'm seeing this show up on Ubuntu 18.04:

Sep 11 14:17:13 bbn-11838 kernel: [275098.499551] audit: type=1400 audit(1536693433.724:1007): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/etc/xdg/mimeapps.list" pid=11797 comm="evince" requested_mask="r" denied_mask="r" fsuid=1832001200 ouid=0

Jon Schewe (jpschewe) wrote :

Pardon, I see that it's a different file. I will create a new bug.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers