evince fails to run due to a gdk_mir_display_open

It looks like you moved your home directories away from /home:

[11617.240214] audit: type=1400 audit(1426607239.103:39): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/ssdhome/cpbl/.Xauthority" pid=20599 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

To modify the system's AppArmor policies, run this:

sudo dpkg-reconfigure apparmor

Then try re-running evince.

Thanks

Yes. Though its symlinked from /home.

Your reconfigure solves the problem.

Is the behaviour I experienced all as it should be, then?
thanks,
Chris

Excellent, thanks for reporting back Christopher. The kernel follows symlinks before prompting AppArmor to allow or deny something. which is why the reports include the 'real' name. This all appears to be working as expected.

Thanks

Hi Seth,

I have my home under /home/, it is just on a different partition. I face the same issue with evince.

Executing sudo dpkg-reconfigure apparmor does not solve the problem for me. I passed /home/ and /home/<user>/ but it doesn't work. Any suggestions?

A very crude workaround that I tried is to disable the apparmor profile evnice, similar to firefox and issuing

sudo apparmor_parser -R /etc/apparmor.d/usr.bin.evince.

Obviously evince works now, but this is far from satisfactory.

You should pass '/ssdhome/' as can be seen from the kernel denial. Hope this helps.

I have the same issue and using sudo dpkg-reconfigure apparmor to add /local/home/ does not change anything.

% evince
No protocol specified

** (evince:8940): WARNING **: Could not open X display
No protocol specified
gdk_mir_display_open
Failed to connect to Mir: Failed to connect to server socket: No such file or directory
Unable to init server: Could not connect: Connection refused
Cannot parse arguments: Cannot open display:

Mar 26 11:31:45 sturm kernel: [13219.348993] audit: type=1400 audit(1427365905.651:53): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/run/user/1000/gdm/Xauthority" pid=8854 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Mar 26 11:31:45 sturm kernel: [13219.352242] audit: type=1400 audit(1427365905.655:54): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/run/user/1000/gdm/Xauthority" pid=8854 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Solved, by adding /run/user through dpkg-reconfigure apparmor.

An overkill for this bug is:

1) Run evince xxx.pdf in terminal
2) Find out the last lines of the output of dmesg, which should go like this:

[ 7091.704251] audit: type=1400 audit(1427518665.187:100): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/run/user/1000/gdm/Xauthority" pid=20485 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

, and remember the directory after "name="
3) Run dpkg-reconfigure apparmor, add the directory after "name="( in this case it is /run/user/1000/gdm).

Hope this works.

Thanks for reporting this. The was spot on.

I have the same problem, but the above solutions don't work:

$evince testpdf.pdf
No protocol specified

** (evince:5819): WARNING **: Could not open X display
No protocol specified
gdk_mir_display_open
Failed to connect to Mir: Failed to connect to server socket: No such file or directory
Unable to init server: Could not connect: Connection refused
Cannot parse arguments: Cannot open display:

dmesg gives:
[ 862.287951] audit: type=1400 audit(1433776649.140:49): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/work/davids/.Xauthority" pid=5819 comm="evince" requested_mask="r" denied_mask="r" fsuid=1011 ouid=1011

$ sudo dpkg-reconfigure apparmor (with name=/work/davids/)

update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd

Try again:

$evince testpdf.pdf
No protocol specified

** (evince:5991): WARNING **: Could not open X display
No protocol specified
gdk_mir_display_open
Failed to connect to Mir: Failed to connect to server socket: No such file or directory
Unable to init server: Could not connect: Connection refused
Cannot parse arguments: Cannot open display:

Have you checked the owner and rights of the file? My ".Xauthority" had them wrong so reconfiguring AppArmor wasn't enough.

Just tried another pdf which fails with the same errors:

ls -lt Issue_54_AprMay_2015.pdf
-rw-rw-r-- 1 davids davids 6452563 May 3 11:13 Issue_54_AprMay_2015.pdf

ie read permission for all. And my .Xauthority looks like:

$ls -lt .Xauthority
-rw------- 1 davids davids 65 Jun 8 17:03 .Xauthority

xadder, I think instead of dpkg-reconfigure apparmor name=/work/davids/ try name=/work/

Thanks

Ah, yes, that worked. Thanks!

#15 Is the right workaround. Thanks

Just additional note for anyone else stumbling into this. I ran into this problem, thought first my /home located on another disk caused it. So ran the reconfig and all, no fix.
Careful rereading this report, lead met to check my .Xauthority... and there it was.
I changed those for some experimentation during a training I was doing, and forgot to change it back. Setting it back only rw to the user fixed the problem for me.

I've tried every suggestion in this thread and still seeing issues. At first I was getting the exact same error as the original poster, after adding variants(symlinks and non-symlinks)of all the denied paths and possibly associated directors:

/home/ /mnt/storage0/home/ /home/user/ /mnt/storage0/home/user/ /usr/share/locale-langpack/en/LC_MESSAGES/ /mnt/storage0/usr/share/locale-langpack/en/LC_MESSAGES/ /usr/share/glib-2.0/schemas/ /mnt/storage0/usr/share/glib-2.0/schemas/

Running evince now produces the following crash and dmesg output. Thoughts?

$ evince

(evince:5181): GLib-GIO-ERROR **: No GSettings schemas are installed on the system
Trace/breakpoint trap (core dumped)

$ dmesg

[ 1098.393345] audit: type=1400 audit(1442266027.531:351): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/mnt/storage0/usr/share/locale-langpack/en/LC_MESSAGES/gtk30.mo" pid=5176 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1098.399296] audit: type=1400 audit(1442266027.535:352): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/mnt/storage0/usr/share/glib-2.0/schemas/gschemas.compiled" pid=5176 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1098.399596] traps: evince[5176] trap int3 ip:7f1f2737ad00 sp:7ffcfc9e5bd0 error:0

$ sudo dpkg-reconfigure apparmor

/home/ /mnt/storage0/home/ /home/user/ /mnt/storage0/home/user/ /usr/share/locale-langpack/en/LC_MESSAGES/ /mnt/storage0/usr/share/locale-langpack/en/LC_MESSAGES/ /usr/share/glib-2.0/schemas/ /mnt/storage0/usr/share/glib-2.0/schemas/

Alan, those are some surprising errors. It looks a lot like you've got / symlinked to /mnt/stoarge0/ or something else similar.

If so, you'd probably be better served with a rule like:

alias / -> /mnt/storage0/,

in the /etc/apparmor.d/tunables/alias file.

Then you could clean up the @{HOME} variable to only the paths actually used for home directories (the dpkg-reconfigure apparmor question) and drastically tighten the security policy while also allowing the accesses that need to happen.

Thanks

hduser@AJ:/home/aj$ nautilus
No protocol specified

** (nautilus:6153): WARNING **: Could not open X display
No protocol specified
gdk_mir_display_open
Failed to connect to Mir: Failed to connect to server socket: Permission denied
Unable to init server: Could not connect: Connection refused

(nautilus:6153): Gtk-WARNING **: cannot open display: :0