apparmor prevents evince from accessing /run/user/

Bug #1062531 reported by Laurent Bonnaud on 2012-10-05
This bug affects 6 people
Affects Status Importance Assigned to Milestone
evince (Ubuntu)
Jamie Strandboge
Jamie Strandboge

Bug Description

When I start evince it displays many error messages like this one:

$ evince

** (evince:4549): CRITICAL **: unable to create file '/run/user/bonnaud/dconf/user': Permission denied. dconf will not work properly.
[message repeated 10 times]

and the kernel outputs those error messages:

[ 514.160868] type=1400 audit(1349467722.309:98): apparmor="DENIED" operation="open" parent=3774 profile="/usr/bin/evince" name="/run/user/bonnaud/dconf/user" pid=4549 comm="evince" requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000
[message repeated 10 times]

In the apparmor profile for evince contained in those files:


there is nothing concerning /run/user/.

ProblemType: Bug
DistroRelease: Ubuntu 12.10
Package: evince 3.6.0-0ubuntu1
ProcVersionSignature: Ubuntu 3.5.0-17.27-generic 3.5.5
Uname: Linux 3.5.0-17-generic i686
ApportVersion: 2.6.1-0ubuntu1
Architecture: i386
Date: Fri Oct 5 22:09:11 2012
EcryptfsInUse: Yes
SourcePackage: evince
UpgradeStatus: No upgrade log present (probably fresh install)

Related branches

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in evince (Ubuntu):
status: New → Confirmed
Fabien Tassin (fta) wrote :

to reproduce, just start evince, no need to do anything else. It also happens when closing it.

to fix, edit /etc/apparmor.d/usr.bin.evince and add this line in the /usr/bin/evince section:

owner /{,var/}run/user/*/dconf/user rw,

then reload the profile with:

sudo apparmor_parser -r /etc/apparmor.d/usr.bin.evince

Sebastien Bacher (seb128) wrote :

Hey ubuntu-security, could somebody in your team look at that? I guess it's a change similar to the one done to other sources recently

e.g adding
owner /{,var/}run/user/*/dconf/ w,
owner /{,var/}run/user/*/dconf/user rw,"

to the profile, but I would prefer to have somebody who knows apparmor better than me to confirm before doing that

Changed in evince (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
importance: Undecided → High
Changed in evince (Ubuntu Quantal):
assignee: Ubuntu Security Team (ubuntu-security) → Jamie Strandboge (jdstrand)
Changed in evince (Ubuntu Quantal):
status: Confirmed → Triaged
Changed in evince (Ubuntu Quantal):
status: Triaged → In Progress
milestone: none → ubuntu-12.10
Jamie Strandboge (jdstrand) wrote :

Uploaded 3.6.0-0ubuntu2.

Changed in evince (Ubuntu Quantal):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package evince - 3.6.0-0ubuntu2

evince (3.6.0-0ubuntu2) quantal; urgency=low

  * debian/apparmor-profile: for evince and evince-previewer, allow owner 'rw'
    access to /{,var/}run/user/*/dconf/user (LP: #1062531)
 -- Jamie Strandboge <email address hidden> Tue, 09 Oct 2012 08:51:50 -0500

Changed in evince (Ubuntu Quantal):
status: Fix Committed → Fix Released

Thank you for the quick fix!

Jonathan Reed (jdreed) wrote :

For anyone, like me, who is naive enough to think that it's possible to set XDG_CACHE_HOME or DCONF_PROFILE to values other than the default, note that this fix _only_ allows access to the "user" profile. If you rename your user profile, you cannot use any apparmor-enabled application that uses dconf. I know there's nothing to be done about this, but I'm leaving this comment here lest anyone else encounter this situation.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers