Evince apparmor settings not allowing sitewide dconf changes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
evince (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
Description: Ubuntu 14.04.1 LTS
apt-cache policy evince evince-common
evince:
Installed: 3.10.3-0ubuntu10.1
Candidate: 3.10.3-0ubuntu10.1
Version table:
*** 3.10.3-0ubuntu10.1 0
500 http://
100 /var/lib/
3.
500 http://
evince-common:
Installed: 3.10.3-0ubuntu10.1
Candidate: 3.10.3-0ubuntu10.1
Version table:
*** 3.10.3-0ubuntu10.1 0
500 http://
100 /var/lib/
3.
500 http://
There are a few issues here. The main problem is that the Evince apparmor settings does not honor site wide dconf settings as described in dconf(7). I'm currently preparing a multiuser setup where we need some site wide configurations, one of which affects Evince.
Problem (1): As described in dconf(7) system wide settings can be made by creating and editing /etc/dconf/
echo 'user-db:user' | sudo tee -a /etc/dconf/
sudo dconf update
evince
We get the following warning
(evince:9145): dconf-WARNING **: Unable to open /etc/dconf/
and the following message in SYSLOG
kernel: [ 1129.931888] type=1400 audit(140784349
Indeed if we search through all files in /etc/apparmod.d , /etc/dconf is not mentioned anywhere.
Possible solution: Add
/etc/dconf/** r,
to /etc/apparmor.
sudo apparmor_parser -r /etc/apparmor.
Then there are no complaints anymore
Problem (2): Again reading dconf(7) it is recommended to change the settigns if /home is NFS mounted. Thus in /etc/dconf/
This causes a new permission denied problem. Remember to run 'sudo dconf update' and log out and ind again.
(evince:19187): dconf-WARNING **: unable to open file '/run/user/
from syslog:
kernel: [ 5430.597984] type=1400 audit(140784878
The apparmor files does mention '/run/user/' (in usr.bin.evince):
# Maybe add to an abstraction?
owner /{,var/
owner /{,var/
however, this does not match 'dconf-service'. One can fix this by adding
owner /{,var/
owner /{,var/
to /etc/apparmor.
Related branches
tags: | added: apparmor |
Changed in evince (Ubuntu): | |
importance: | Undecided → High |
Changed in evince (Ubuntu): | |
status: | New → In Progress |
This bug was fixed in the package evince - 3.10.3-0ubuntu15
---------------
evince (3.10.3-0ubuntu15) utopic; urgency=medium
* debian/ apparmor- profile: 1000/at- spi2-* */gvfs- metadata/ ** (LP: #1344810) /.cache/ dconf/user (LP: #1024605) apparmor- profile. abstraction: lubuntu/ applications/ defaults. list (LP: #1290157, [pP][sS] [fFiI23] (LP: #1330430)
- allow site-wide dconf. Thanks to Lars Masden. (LP: #1355804)
- allow read/write to files we own in /media (LP: #1096837)
- allow read/write to files we own in /run/user/
(LP: #1308488)
- allow 'l' to /run/user/
- allow read/write of @{HOME}
* debian/
- allow read of /etc/xdg/
LP: #1299239)
- allow read of /**.[eE]
-- Jamie Strandboge <email address hidden> Tue, 12 Aug 2014 14:30:43 -0500