apparmor blocks evince from /usr/bin/dbus-launch

Bug #566207 reported by Nikolaus Rath on 2010-04-18
46
This bug affects 8 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Low
Jamie Strandboge
Lucid
Low
Unassigned
Maverick
Low
Jamie Strandboge
evince (Ubuntu)
Medium
Jamie Strandboge
Lucid
Medium
Jamie Strandboge
Maverick
Medium
Jamie Strandboge

Bug Description

Whenever I start evince, I get the following warnings from the kernel:

Apr 7 16:14:00 spitzer kernel: [539649.749831] type=1503 audit(1270671240.166:27): operation="exec" pid=32423 parent=32419 profile="/usr/bin/evince" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/bin/dbus-launch"
Apr 7 16:14:00 spitzer kernel: [539649.751333] type=1503 audit(1270671240.166:28): operation="exec" pid=32424 parent=32419 profile="/usr/bin/evince" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/bin/dbus-launch"
Apr 7 16:14:00 spitzer kernel: [539649.751464] type=1503 audit(1270671240.166:29): operation="exec" pid=32424 parent=32419 profile="/usr/bin/evince" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/bin/dbus-launch"
Apr 7 16:33:00 spitzer kernel: [540789.509776] __ratelimit: 24 callbacks suppressed

Related branches

Architecture: amd64
DistroRelease: Ubuntu 9.10
NonfreeKernelModules: dt100_hub_drv
Package: evince 2.28.1-0ubuntu1.2
PackageArchitecture: amd64
ProcCmdline: BOOT_IMAGE=/vmlinuz-2.6.31-20-server root=/dev/mapper/tassadar-root ro quiet splash
ProcEnviron:
 SHELL=/bin/bash
 PATH=(custom, no user)
 LANG=en_US.UTF-8
ProcVersionSignature: Ubuntu 2.6.31-20.58-server
Uname: Linux 2.6.31-20-server x86_64
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
XsessionErrors:
 (gnome-settings-daemon:20487): GLib-CRITICAL **: g_propagate_error: assertion `src != NULL' failed
 (gnome-settings-daemon:20487): GLib-CRITICAL **: g_propagate_error: assertion `src != NULL' failed
 (nautilus:20544): Eel-CRITICAL **: eel_preferences_get_boolean: assertion `preferences_is_initialized ()' failed
 (polkit-gnome-authentication-agent-1:20548): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed

tags: added: apport-collected
affects: evince (Ubuntu) → apparmor (Ubuntu)

I can't reproduce this. How are you starting evince?

affects: apparmor (Ubuntu) → evince (Ubuntu)
Changed in evince (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Incomplete
summary: - type=1503 audit(1270671240.166:26): operation="exec" pid=32423
- parent=32419 profile="/usr/bin/evince" requested_mask="::x"
- denied_mask="::x" fsuid=1000 ouid=0 name="/usr/bin/dbus-launch"
+ apparmor blocks evince from /usr/bin/dbus-launch
tags: added: apparmor
removed: apport-collected
Nikolaus Rath (nikratio) wrote :

I just log into the machine with ssh X11 forwarding enabled (the machine is headless) and type "evince" in the console:

$ evince

** (evince:702): WARNING **: Error connecting to D-Bus: /bin/dbus-launch terminated abnormally without any error message

** (evince:702): WARNING **: Service registration failed.

** (evince:702): WARNING **: /bin/dbus-launch terminated abnormally without any error message
GConf Error: Failed to contact configuration server; some possible causes are that you need to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a system crash. See http://projects.gnome.org/gconf/ for information. (Details - 1: Failed to get connection to session: /bin/dbus-launch terminated abnormally without any error message)
GConf Error: Failed to contact configuration server; some possible causes are that you need to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a system crash. See http://projects.gnome.org/gconf/ for information. (Details - 1: Failed to get connection to session: /bin/dbus-launch terminated abnormally without any error message)
GConf Error: Failed to contact configuration server; some possible causes are that you need to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a system crash. See http://projects.gnome.org/gconf/ for information. (Details - 1: Failed to get connection to session: /bin/dbus-launch terminated abnormally without any error message)

Changed in evince (Ubuntu):
status: Incomplete → New
Jamie Strandboge (jdstrand) wrote :

The correct fix for this is to add a dbus-session abstraction to apparmor and have evince use it. Will discuss with ubuntu-release if this is acceptable for before release.

Changed in evince (Ubuntu):
status: New → Triaged
importance: Undecided → High
Changed in apparmor (Ubuntu Lucid):
status: New → Triaged
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → High
Jamie Strandboge (jdstrand) wrote :

Nikolaus, to workaround this issue, please add the following to /etc/apparmor.d/abstractions/evince:
  /usr/bin/dbus-launch Uxr,

Then perform:
$ sudo apparmor_parser -r -W -T /etc/apparmor.d/usr.bin.evince

Nikolaus Rath (nikratio) wrote :

The workaround seems to work, thanks. Now the only remaining error message is

$ evince

** (evince:2175): WARNING **: Failed to create dbus proxy for org.gnome.SettingsDaemon: Could not get owner of name 'org.gnome.SettingsDaemon': no such name

Jamie Strandboge (jdstrand) wrote :

The remaining error is not an apparmor issue and should probably be addressed in a separate bug.

Jamie Strandboge (jdstrand) wrote :

This will be fixed in a an SRU.

Changed in evince (Ubuntu Lucid):
milestone: none → lucid-updates
Changed in apparmor (Ubuntu Lucid):
milestone: none → lucid-updates
Jamie Strandboge (jdstrand) wrote :

Nikolaus, the problem you are seeing is that the dbus session bus is not started, which is why evince won't start. The AppArmor issue will be fixed in SRU, but to access evince using a remote display even after this is fixed, you will need to start a session dbus (this is something that gnome-session normally does for you).

Nikolaus Rath (nikratio) wrote :

No, that's a misunderstanding. Evince has been starting (and running) fine all the time. It just produced a lot of error messages in the kernel log and on the console.

Changed in apparmor (Ubuntu Lucid):
importance: High → Medium
Changed in evince (Ubuntu Lucid):
importance: High → Medium
Kai Aeberli (kai.aeberli) wrote :

This bug also affects me, and I tried the workaround. This is the output:

kai@kai-laptop:~$ sudo evince

** (evince:6037): WARNING **: Failed to create dbus proxy for org.gnome.SettingsDaemon: Could not get owner of name 'org.gnome.SettingsDaemon': no such name

** (evince:6037): WARNING **: Error creating last_settings file: Error opening file '/root/.gnome2/evince/last_settings': No such file or directory

Segmentation fault

However, in contrast to Nikolaus, for me evince doesnt start.

Kai Aeberli (kai.aeberli) wrote :

the recent update of evince_2.30.1-0ubuntu1 to evince_2.30.1-0ubuntu2 solved the problem for me.

Jamie Strandboge (jdstrand) wrote :

The AppArmor part has been committed to trunk and will be in maverick when it hits.

Changed in apparmor (Ubuntu Maverick):
milestone: lucid-updates → none
Changed in evince (Ubuntu Maverick):
milestone: lucid-updates → none
Changed in apparmor (Ubuntu Maverick):
status: Triaged → Fix Committed
Jamie Strandboge (jdstrand) wrote :

Marking the evince tasks as Fix Released since they both have the dbus abstraction.

Changed in evince (Ubuntu Lucid):
status: Triaged → Fix Released
Changed in evince (Ubuntu Maverick):
status: Triaged → Fix Released
Jamie Strandboge (jdstrand) wrote :

Based on Nikolus feedback, I am going to mark the AppArmor Lucid task as "Won't Fix" for now (since evince is starting and running ok, but is otherwise just noisy). If required, this can be reevaluated going forward. Upstream AppArmor and Maverick will use the following in the new dbus-session abstraction:
  #include <abstractions/dbus>
  /usr/bin/dbus-launch Pix,

Changed in apparmor (Ubuntu Lucid):
importance: Medium → Low
milestone: lucid-updates → none
status: Triaged → Won't Fix
Changed in apparmor (Ubuntu Maverick):
importance: Medium → Low
Changed in apparmor (Ubuntu Lucid):
assignee: Jamie Strandboge (jdstrand) → nobody
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.5.1~pre1393-0ubuntu1

---------------
apparmor (2.5.1~pre1393-0ubuntu1) maverick; urgency=low

  * Update to upstream bzr revision 1393 from lp:apparmor/2.5.
    * add dbus-session abstraction (LP: #566207)
    * require owner in user-tmp abstraction (LP: #578922)
    * don't use uninitialized $opt_s (LP: #582075)
    * allow thunderbird 3 in abstractions/ubuntu-email (LP: #590462)
    * allow gmplayer in abstractions/ubuntu-media-players (LP: #591421)
  * debian/control: updated branches.
  * debian/patches/0001-local-includes.patch: backported patch from trunk to
    allow local administrators to customize their profiles without modifying
    a shipped profile
  * debian/rules:
    - don't pass RELEASE to libapparmor's 'make install' as it breaks the
      build and isn't used by the Makfile anyway
    - install apparmor.d/local/README in apparmor, not apparmor-profiles
    - don't install apparmor.d/local/usr.sbin.ntpd
  * Drop the following patches already included upstream:
    - 0001-lp538561.patch
    - 0002-aalogprof-warnings.patch
    - 0003-fix-memleaks.patch
    - 0004-lp549557.patch
    - 0005-lp538661.patch
    - 0006-lp611248.patch
 -- Jamie Strandboge <email address hidden> Thu, 05 Aug 2010 16:10:46 -0500

Changed in apparmor (Ubuntu Maverick):
status: Fix Committed → Fix Released

Accepted apparmor into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Jamie Strandboge (jdstrand) wrote :

Lucid affected, and added dbus-session abstraction, but nothing uses this abstraction in Lucid. /etc/apparmor.d/abstractions/dbus is unchanged on uupgrade and therefore no regression.

tags: removed: verification-needed
tags: added: verification-done
Jamie Strandboge (jdstrand) wrote :

I was unclear in my last comment. Lucid is affected by this bug, but the fix is not in the SRU for 2.5.1-0ubuntu0.10.04.1. I verified that /etc/apparmor.d/abstractions/dbus is unchanged on upgrade and therefore there are no regressions.

Launchpad Janitor (janitor) wrote :
Download full text (10.1 KiB)

This bug was fixed in the package apparmor - 2.5.1-0ubuntu0.10.04.1

---------------
apparmor (2.5.1-0ubuntu0.10.04.1) lucid-proposed; urgency=low

  * Backport 2.5.1-0ubuntu0.10.10.1 from maverick for userspace tools to work
    with newer kernels (LP: #660077)
    NOTE: user-tmp now uses 'owner' match, so non-default profiles will have
    to be adjusted when 2 separately confined applications that both use the
    user-tmp abstraction depend on being able to cooperatively share files
    with each other in /tmp or /var/tmp.
  * remove the following patches (features not appropriate for SRU):
    - 0002-add-chromium-browser.patch
    - 0003-local-includes.patch
    - 0004-ubuntu-abstractions-updates.patch
  * debian/rules (this makes it the same as what was shipped in 10.04 LTS
    release):
    - don't ship aa-update-browser and its man page (requires
      0004-ubuntu-abstractions-updates.patch)
    - don't ship apparmor.d/local/ (requires 0003-local-includes.patch)
    - don't use dh_apparmor (not in Ubuntu 10.04 LTS)
    - don't ship chromium profile
  * remove debian/profiles/chromium-browser
  * remove debian/aa-update-browser*
  * debian/apparmor-profiles.postinst: revert to that in lucid release
    (requires dh_apparmor and 0002-add-chromium-browser.patch)
  * remove debian/apparmor-profiles.postrm: doesn't make sense without
    0002-add-chromium-browser.patch
  * debian/control:
    - revert Build-Depends on debhelper (>= 5)
    - revert Standards-Version to 3.8.4
    - revert Vcs-Bzr
    - use Conflicts/Replaces version that was in Ubuntu 10.04 LTS
  * debian/patches/0011-lucid-compat-dbus.patch: move /var/lib/dbus/machine-id
    back into dbus, since profiles on 10.04 LTS expect it there
  * debian/patches/0012-lucid-compat-kde.patch: add kde4-config to kde
    abstraction, since the firefox profile on Ubuntu 10.04 LTS expects it to
    be there

apparmor (2.5.1-0ubuntu0.10.10.2) maverick-proposed; urgency=low

  * New upstream release (LP: #660077)
    - The following patches were refreshed:
      + 0001-fix-release.patch
      + 0003-local-includes.patch
      + 0004-ubuntu-abstractions-updates.patch
      + 0008-lp648900.patch: renamed as 0005-lp648900.patch
    - The following patches were dropped (included upstream):
      + 0005-lp601583.patch
      + 0006-network-interface-enumeration.patch
      + 0007-gnome-updates.patch
  * debian/patches/0006-testsuite-fixes.patch: testsuite fixes from head
    of 2.5 branch. These are needed for QRT and SRU testing (LP: #652211)
  * debian/patches/0007-honor-cflags.patch: have the parser makefile honor
    CFLAGS environment variable. Brings back missing symbols for the retracer
  * debian/patches/0008-lp652674.patch: fix warnings for messages without
    denied or requested masks (LP: #652674)
  * debian/apparmor.init: fix path to aa-status (LP: #654841)
  * debian/apport/source_apparmor.py: apport hook should use
    root_command_hook() for running apparmor_status (LP: #655529)
  * debian/apport/source_apparmor.py: use ProcKernelCmdline and don't clobber
    cmdline details (LP: #657091)
  * debian/{rules,control}: move apache2 abstractions into the base package
    so we can put ...

Changed in apparmor (Ubuntu Lucid):
status: Won't Fix → Fix Released
Ben Gamari (bgamari) wrote :

It seems this has been yet again broken in Oneiric.

Hi Ben, if you feel this has regressed, please open a new bug and
reference it here. Add the tag 'regression-release' so that we can
prioritize it properly, and reference this bug in the report. Remember
to come back here and comment so that we can find the new bug and make
sure it gets triaged quickly.

Excerpts from Ben Gamari's message of Thu Dec 08 04:19:22 UTC 2011:
> It seems this has been yet again broken in Oneiric.
>
> --
> You received this bug notification because you are a member of Ubuntu
> Stable Release Updates Team, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/566207
>
> Title:
> apparmor blocks evince from /usr/bin/dbus-launch
>
> Status in “apparmor” package in Ubuntu:
> Fix Released
> Status in “evince” package in Ubuntu:
> Fix Released
> Status in “apparmor” source package in Lucid:
> Fix Released
> Status in “evince” source package in Lucid:
> Fix Released
> Status in “apparmor” source package in Maverick:
> Fix Released
> Status in “evince” source package in Maverick:
> Fix Released
>
> Bug description:
> Whenever I start evince, I get the following warnings from the kernel:
>
>
> Apr 7 16:14:00 spitzer kernel: [539649.749831] type=1503 audit(1270671240.166:27): operation="exec" pid=32423 parent=32419 profile="/usr/bin/evince" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/bin/dbus-launch"
> Apr 7 16:14:00 spitzer kernel: [539649.751333] type=1503 audit(1270671240.166:28): operation="exec" pid=32424 parent=32419 profile="/usr/bin/evince" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/bin/dbus-launch"
> Apr 7 16:14:00 spitzer kernel: [539649.751464] type=1503 audit(1270671240.166:29): operation="exec" pid=32424 parent=32419 profile="/usr/bin/evince" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/bin/dbus-launch"
> Apr 7 16:33:00 spitzer kernel: [540789.509776] __ratelimit: 24 callbacks suppressed
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/566207/+subscriptions

Ben Gamari (bgamari) wrote :

I just opened #904001. Thanks for your help.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers