apparmor denies evince a chmod operation

I cannot reproduce this and it actually looks like a legitimate denial. How have you configured your environment so that /tmp/at-spi2/ is being used and why is evince trying to chmod it?

Hi,
recently I modified telepathy profile because I moved (link through ln) some home folder to Private folder, but the problem was present before that change.
The notify came to desktop after additional packages installed by:
apt-get install apparmor-utils apparmor-profiles apparmor-notify
But from system log the problem was already present but it was not displayed.
Maybe the problem is not just my installation because I found many equal log on internet (i.e. try "apparmor="DENIED" operation="chmod" parent=1 profile="/usr/bin/evince" name="/tmp/at-spi2/"" by google)
anyway I attach the evince profile present into apparmor.d folder .

Many thanks

Enrico

This is the apparmor_status report:

apparmor module is loaded.
42 profiles are loaded.
19 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//launchpad_integration
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince-thumbnailer//sanitized_helper
   /usr/bin/evince//launchpad_integration
   /usr/bin/evince//sanitized_helper
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/chromium-browser/chromium-browser//browser_java
   /usr/lib/chromium-browser/chromium-browser//browser_openjdk
   /usr/lib/chromium-browser/chromium-browser//sanitized_helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/telepathy/mission-control-5
   /usr/lib/telepathy/telepathy-*
   /usr/sbin/cupsd
   /usr/sbin/tcpdump
23 profiles are in complain mode.
   /bin/ping
   /sbin/klogd
   /sbin/syslog-ng
   /sbin/syslogd
   /usr/lib/chromium-browser/chromium-browser
   /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
   /usr/lib/chromium-browser/chromium-browser//xdgsettings
   /usr/lib/dovecot/deliver
   /usr/lib/dovecot/dovecot-auth
   /usr/lib/dovecot/imap
   /usr/lib/dovecot/imap-login
   /usr/lib/dovecot/managesieve-login
   /usr/lib/dovecot/pop3
   /usr/lib/dovecot/pop3-login
   /usr/sbin/avahi-daemon
   /usr/sbin/dnsmasq
   /usr/sbin/dovecot
   /usr/sbin/identd
   /usr/sbin/mdnsd
   /usr/sbin/nmbd
   /usr/sbin/nscd
   /usr/sbin/smbd
   /usr/{sbin/traceroute,bin/traceroute.db}
7 processes have profiles defined.
3 processes are in enforce mode.
   /usr/lib/telepathy/mission-control-5 (3186)
   /usr/lib/telepathy/telepathy-* (3230)
   /usr/sbin/cupsd (1161)
2 processes are in complain mode.
   /usr/sbin/dnsmasq (1859)
   /usr/sbin/nmbd (2069)
2 processes are unconfined but have a profile defined.
   /usr/sbin/smbd (1086)
   /usr/sbin/smbd (1095)

Errata Corrige !!!
The notify came to desktop if as user I am into the admin group (according with /etc/apparmor/notify.conf).

Sorry for the mistake in the previous message.

Enrico

Additional Information:
The folder /tmp/at-spi2/ is owned by gdm (I switched from lightdm to gdm) and /tmp is listed as:
... ll /tmp/
total 96
drwxrwxrwt 11 root root 49152 feb 27 18:26 ./
drwxr-xr-x 24 root root 4096 feb 19 15:12 ../
drwxrwxrwt 2 gdm gdm 4096 feb 27 18:26 at-spi2/
drwxrwxrwt 2 root root 4096 feb 27 18:11 .ICE-unix/
...

and
... ll /tmp/at-spi2
total 56
drwxrwxrwt 2 gdm gdm 4096 feb 27 18:26 ./
drwxrwxrwt 11 root root 49152 feb 27 18:26 ../
srwxrwxrwx 1 gdm gdm 0 feb 27 18:11 socket-1565-512521031=
srwxrwxrwx 1 gdm gdm 0 feb 27 18:11 socket-1571-976048637=
srwxrwxrwx 1 gdm gdm 0 feb 27 18:11 socket-1680-1804289383=
...

Enrico

Additional information:
premise:
p1) I made a test changing the owner and group of the /tmp/at-spi2/ folder with the user logged-in solve the problem. Maybe it was granted, but it tried anyway
p2) Evince seem to work fine, I never detected problems reading pdf file during normal work. This error does not seem to affect the entire program operation.

Based on of my knowledge I have tried to verify the requirements requested by Jamie Strandboge:
a1) the environment and /tmp/at-spi2/:
considering what I have discovered a way to change the environment connected to the '/tmp/at-spi2/' is to define XDG_RUNTIME_DIR, but this variable is not defined, the command env|grep XDG produce:
  XDG_SESSION_COOKIE=023e99a7ae9aa1d1d49fde2300000008-1393614529.236409-511883369
  XDG_CONFIG_DIRS=/etc/xdg/xdg-gnome-shell:/etc/xdg
  XDG_DATA_DIRS=/usr/share/gnome-shell:/usr/share/gnome:/usr/local/share/:/usr/share/
  XDG_CURRENT_DESKTOP=GNOME
This is certainly not exhaustive but that's what I was able to discover about this

a2) why is evince trying to chmod it?
I don't know the internal reasons of evince but this operation is always done even when it is launched from the command without opening a pdf file directly. I made an strace of evince launch from commnad line, a simple evince, and these are the interesting lines:
...
  recvmsg(11, 0x7fff3dbbb490, MSG_CMSG_CLOEXEC) = -1 EAGAIN (Resource temporarily unavailable)
  eventfd2(0, O_NONBLOCK|O_CLOEXEC) = 12
  write(12, "\1\0\0\0\0\0\0\0", 8) = 8
  fstat(11, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
  fcntl(11, F_GETFL) = 0x802 (flags O_RDWR|O_NONBLOCK)
  write(4, "\1\0\0\0\0\0\0\0", 8) = 8
  brk(0x7f6836ff0000) = 0x7f6836ff0000
  brk(0x7f6836fef000) = 0x7f6836fef000
  sendmsg(11, {msg_name(0)=NULL, msg_iov(2)=[{"l\1\1\1Y\0\0\0\2\0\0\0\177\0\0\0\1\1o\0\25\0\0\0/org/fre"..., 144}, {"T\0\0\0type='signal', interface='or"..., 89}], msg_controllen=0, msg_flags=0}, MSG_NOSIGNAL) = 233
  sendmsg(11, {msg_name(0)=NULL, msg_iov(2)=[{"l\1\1\1d\0\0\0\3\0\0\0\177\0\0\0\1\1o\0\25\0\0\0/org/fre"..., 144}, {"_\0\0\0type='signal', interface='or"..., 100}], msg_controllen=0, msg_flags=0}, MSG_NOSIGNAL) = 244
  sendmsg(11, {msg_name(0)=NULL, msg_iov(2)=[{"l\1\0\0010\0\0\0\4\0\0\0\202\0\0\0\1\1o\0\37\0\0\0/org/a11"..., 152}, {"\5\0\0\0:1.38\0\0\0\37\0\0\0/org/a11y/atspi/"..., 48}], msg_controllen=0, msg_flags=0}, MSG_NOSIGNAL) = 200
* mkdir("/tmp/at-spi2/", 01777) = -1 EEXIST (File exists)
* chmod("/tmp/at-spi2/", 01777) = -1 EACCES (Permission denied)
  socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC, 0) = 13
* stat("/tmp/at-spi2/socket-4587-1804289383", 0x7fff3dbbb550) = -1 ENOENT (No such file or directory)
  setsockopt(13, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
* bind(13, {sa_family=AF_FILE, path="/tmp/at-spi2/socket-4587-1804289383"}, 37) = 0
  listen(13, 30) = 0
  fcntl(13, F_GETFL) = 0x2 (flags O_RDWR)
  fcntl(13, F_SETFL, O_RDWR|O_NONBLOCK) = 0
* chmod("/tmp/at-spi2/socket-4587-1804289383", 0777) = 0
  open("/dev/urandom", O_RDONLY) = 14
  read(14, "\320\262\323\266\243\246...

Issue found !!!

After some test I found the issue (at least in my system).

The problem is connect to a dconf setting, the key is 'toolkit-accessibility' into the schema 'org.gnome.desktop.interface'.
When enable the issue is raised.

Steps to reproduce:
by a new user:
1) create new user
2) verify that the key value is false (default value)
3) check message when evince is launched: no message from apparmor!
4) set up the key to 'true' value, default value is false
5) check message when evince is launched: Denied message from apparmor!
or by an existing user through steps 2 to 5

This is what I found out on my system.
May be that the setting is left over from previous settings because my home partition is always the same for a long time over different version of the system. I do not know if it is connected or may be useful to know but on my system all options from 'Universal Access' (System Settings) are disable even when the value is true.

Can you try this thing ?

Bye

Enrico

Following what tested I report that even in a clean install (done on a virtual machine) of Ubuntu Desktop 12.04.4 this issue is present, enabling 'toolkit-accessibility' setting and running evince a denied message from apparmor was detected on the log.

[Expired for evince (Ubuntu) because there has been no activity for 60 days.]