control: clone -1 control: retitle -1 AppArmor: profile doesn't allow to access Acrobat Reader control: tags -1 user thunderb...@packages.debian.org control: usertags -1 tb-apparmor
Hello Francois On Thu, Jan 11, 2018 at 08:29:50PM +0100, Francois Mescam wrote: ... > > > In the log when I try to open a pdf I have this message : > > > > > > Jan 11 10:47:46 eiffel6 kernel: [40296.963168] audit: type=1400 > > > audit(1515664066.510:296): apparmor="DENIED" operation="exec" > > > profile="thunderbird" name="/usr/bin/acroread" pid=12815 > > > comm="thunderbird" > > > requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 > > > > > > After I do > > > > > > aa-disable /etc/apparmor.d/usr.bin.thunderbird > > > > > > acroread is launched correctly. > > > > > > I observe this problem on a laptop running debian testing up to date. > > you don't have written which version you use, testing has 52.4.0-1 > > unstable is on 52.5.2-2 and especially the apparmor stuff has changed > > significantly between both versions. > I use version 52.4.0-1 then your added information isn't really relevant for the reported issue as the profile currently seems to not allow the usage of /usr/bin/acroread. I cloned the report into a new issue to track this separately. You can try to add a line for the Acrobat Reader into the profile. But this is blind shot from me, acroread will requesting probably further files. diff --git a/debian/apparmor/usr.bin.thunderbird b/debian/apparmor/usr.bin.thunderbird index d1f4098c75..6744f4e058 100644 --- a/debian/apparmor/usr.bin.thunderbird +++ b/debian/apparmor/usr.bin.thunderbird @@ -198,6 +198,8 @@ profile thunderbird @{thunderbird_executable} { /{usr/,}bin/ps Uxr, /{usr/,}bin/uname Uxr, /usr/bin/locale Uxr, + # may work for Adobe Acrobat + /usr/bin/acroread Uxr, /usr/bin/gpg Cx -> gpg, /usr/bin/gpg2 Cx -> gpg, Regards Carsten