Hello, Am Donnerstag, 24. Juli 2025, 15:35 schrieb Simon McVittie: > On Thu, 24 Jul 2025 at 14:22:08 +0100, Simon McVittie wrote: > >In the "journalctl -f" output, I see > >this AppArmor denial (uid 0 or adm membership required): > >>Jul 24 12:27:49 espresso kernel: audit: type=1400 > >>audit(1753356469.641:148): apparmor="DENIED" operation="exec" > >>class="file" profile="/usr/bin/evince" > >>name="/usr/bin/papers-previewer" pid=12463 comm="gio-launch-desk" > >>requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 > A possible patch: > > ----8<---- > --- debian/apparmor-profile 2025-07-17 14:27:11.713382824 +0100 > +++ /etc/apparmor.d/usr.bin.evince 2025-07-24 14:23:39.877301150 +0100 > @@ -63,6 +63,7 @@ > > /usr/bin/evince rmPx, > /usr/bin/evince-previewer Px, > + /usr/bin/papers-previewer Pix,
A Px rule (without the ix fallback) would be better. Obviously this means that we need a separate profile for papers-previewer. Since you switched the evince profile to complain mode, your audit.log should already include everything to create that profile. Are you familiar enough with aa-logprof to create the papers-previewer profile? Otherwise, please attach your /var/log/audit/audit.log (and possibly audit.log.[0-9] if they have been rotated away - should be obvious by looking at the timestamp). Regards, Christian Boltz -- Well, in rc3 it complains about using an uninitialized value at line 1465. But at least the message is shorter now, so it's a kind of improvement. :-/ [Steffen Winterfeldt in https://bugzilla.novell.com/show_bug.cgi?id=223909]
signature.asc
Description: This is a digitally signed message part.
