[Bug 987578] Re: Evince is not allowed to use exo-open
can you look in dmesg or kern.log for the actual apparmor denial? > I have absolutely no idea what "ixr" allow r (read) permission allow ix == on eXecute inherit the current profile an exec permission can specify different options that should be taken, inherit the current profile, transition to specific profile, transition based on the exec profile name, ... > /usr/bin/firefox ixr, -> error about "option" x being in conflict there is another exec rule that matches and it species that something else should be done. Hence they conflict. > /usr/bin/firefox r, -> does not work > /usr/bin/sh r, -> seems very dangerous & does not work -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
Hi, This bug is back in Document Viewer/Evince(*) 3.36.7, at least under Linux Mint 20 Ulyana. Apparently, evince does not try to use exo-open anymore, but launches firefox directly (or via a sh shell?!?!) :{ I get error: "sh: 1: exec: firefox: Operation not permitted" I've tried the trick found here to modify /etc/apparmor.d/usr.bin.evince but with not success. I used (NOTE: I have absolutely no idea what "ixr" could mean, thus what I'm doing...): /usr/bin/firefox ixr, -> error about "option" x being in conflict /usr/bin/firefox r, -> does not work /usr/bin/sh r,-> seems very dangerous & does not work (*) Life would be a LOT easier for bug reporters if only one name would be used for app, instead of one name in CLI (/usr/bin/evince) and another in GUI (Document Viewer)... -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
This bug was fixed in the package apparmor - 2.7.102-0ubuntu3.8 --- apparmor (2.7.102-0ubuntu3.8) precise-proposed; urgency=low * 0022-aa-logprof-PUx_rewrite_fix-lp982619.patch: fix aa-logprof rewrite of PUx modes (LP: #982619) * 0023-lp1091642-parser-reset_matchflags.patch: prevent reuse of matchflags in parser dfa backend and add testcase demonstrating the problem (LP: #1091642) * 0024-profiles-allow_exo-open-lp987578.patch: allow exo-open to work within ubuntu-integration (LP: #987578) -- Steve BeattieThu, 24 Jan 2013 11:40:48 -0800 ** Changed in: apparmor (Ubuntu Precise) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
apparmor 2.7.102-0ubuntu3.8 has been superceded by apparmor 2.7.102-0ubuntu3.9 in -proposed and needs new verification. ** Tags removed: verification-done ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
See also https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1214979 -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
I have re-tested this problem with the benefit of clarity of time. :) I have verified that the AppArmor policy changes in the apparmor package in precise-proposed behave as desired, without DENIED entries, for using exo-open as the application helper. I have verified that evince is able to open links with the new apparmor package in precise-proposed. Thanks ** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
** Branch linked: lp:~kees/apparmor/debian -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
Can someone verify this on precise? I can't replicate the failure of the AppArmor test case here. I installed the xfce4 package. I logged in using the xfce4 environment. I downloaded a PDF and a PNG in Firefox, double-clicked them from the Downloads window (right-click no longer contains "open"), and they both opened without any trouble. I replaced the PDF viewer "application helper" setting in Firefox with exo-open, and the PDF still opened without any trouble. How exactly do you get this to break? Thanks -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
** Branch linked: lp:ubuntu/precise-proposed/apparmor -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
Hello Wannes, or anyone else affected, Accepted apparmor into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/apparmor/2.7.102-0ubuntu3.8 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: apparmor (Ubuntu Precise) Status: In Progress => Fix Committed ** Tags removed: verification-done ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
This bug was fixed in the package evince - 3.4.0-0ubuntu1.5 --- evince (3.4.0-0ubuntu1.5) precise-proposed; urgency=low * debian/apparmor-profile: allow evince to launch the browser on Xubuntu. Fix thanks to Mark Ramsell (LP: #987578) -- Micah GerstenThu, 24 Jan 2013 22:40:48 -0600 ** Changed in: evince (Ubuntu Precise) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
I can confirm, that evince 3.4.0-0ubuntu1.5 from precise-proposed fixes the issue for me. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
** Branch linked: lp:ubuntu/precise-proposed/evince -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
Brian. Thank you so much. From what I can see here, it seems to work now. Links launch successfully. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
Hello Wannes, or anyone else affected, Accepted evince into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/evince/3.4.0-0ubuntu1.5 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: evince (Ubuntu Precise) Status: In Progress => Fix Committed ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
These are uploaded, but since they're not critical for 12.04.2, they'll be reviewed after 12.04.2 is done with. ** Changed in: apparmor (Ubuntu Precise) Milestone: ubuntu-12.04.2 => None ** Changed in: evince (Ubuntu Precise) Milestone: ubuntu-12.04.2 => None -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
** Changed in: apparmor (Ubuntu Precise) Assignee: Micah Gersten (micahg) => (unassigned) ** Changed in: evince (Ubuntu Precise) Assignee: Micah Gersten (micahg) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
** Description changed: Applications aren't able to use exo-open in Xubuntu with apparmor profiles enabled. - Test case: + Test case (apparmor): + sudo aa-enforce /etc/apparmor.d/usr.bin.firefox + Launch firefox + Download a file in Firefox + Tools -> Downloads + Right Click and open the downloaded file, should fail with the old version and open with the new + + Test case (evince): Open PDF with a link in it under Xubuntu Click the link Should fail with the current versions of evince/apparmor and work with the new versions - Regression potential: minimal as this should just enable exo usage with apparmor profiles -- Using a fresh install of Xubuntu 12.04 beta, I can not open links from within evince. A red bar appears on top and says : "Unable to open external link" "Failed to execute child process "exo-open" (Permission denied)" I suppose this is due to a bad configuration of AppArmor. ProblemType: BugDistroRelease: Ubuntu 12.04 Package: evince 3.4.0-0ubuntu1 ProcVersionSignature: Ubuntu 3.2.0-23.36-generic 3.2.14 Uname: Linux 3.2.0-23-generic x86_64 ApportVersion: 2.0.1-0ubuntu5 Architecture: amd64 Date: Tue Apr 24 02:40:31 2012 EcryptfsInUse: Yes InstallationMedia: Xubuntu 12.04 LTS "Precise Pangolin" - Beta amd64 (20120328) KernLog: Apr 24 02:22:50 box kernel: [349882.938280] type=1400 audit(1335226970.303:28): apparmor="DENIED" operation="exec" parent=13156 profile="/usr/bin/evince" name="/usr/bin/exo-open" pid=13157 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 Apr 24 02:23:01 box kernel: [349894.110102] type=1400 audit(1335226981.475:29): apparmor="DENIED" operation="exec" parent=13158 profile="/usr/bin/evince" name="/usr/bin/exo-open" pid=13159 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 Apr 24 02:29:40 box kernel: [350293.526127] type=1400 audit(1335227380.890:30): apparmor="DENIED" operation="exec" parent=13225 profile="/usr/bin/evince" name="/usr/bin/exo-open" pid=13226 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 ProcEnviron: TERM=xterm PATH=(custom, user) LANG=en_US.UTF-8 SHELL=/bin/bashSourcePackage: evince UpgradeStatus: No upgrade log present (probably fresh install) -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
** Description changed: + Applications aren't able to use exo-open in Xubuntu with apparmor. + + Test case: + Open PDF with a link in it under Xubuntu + Click the link + Should fail with the current versions of evince/apparmor and work with the new versions + + - + + Regression potential: + minimal as this should just enable exo usage in apparmor + + -- + Using a fresh install of Xubuntu 12.04 beta, I can not open links from within evince. A red bar appears on top and says : "Unable to open external link" "Failed to execute child process "exo-open" (Permission denied)" I suppose this is due to a bad configuration of AppArmor. - ProblemType: Bug - DistroRelease: Ubuntu 12.04 + ProblemType: BugDistroRelease: Ubuntu 12.04 Package: evince 3.4.0-0ubuntu1 ProcVersionSignature: Ubuntu 3.2.0-23.36-generic 3.2.14 Uname: Linux 3.2.0-23-generic x86_64 ApportVersion: 2.0.1-0ubuntu5 Architecture: amd64 Date: Tue Apr 24 02:40:31 2012 EcryptfsInUse: Yes InstallationMedia: Xubuntu 12.04 LTS "Precise Pangolin" - Beta amd64 (20120328) KernLog: - Apr 24 02:22:50 box kernel: [349882.938280] type=1400 audit(1335226970.303:28): apparmor="DENIED" operation="exec" parent=13156 profile="/usr/bin/evince" name="/usr/bin/exo-open" pid=13157 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 - Apr 24 02:23:01 box kernel: [349894.110102] type=1400 audit(1335226981.475:29): apparmor="DENIED" operation="exec" parent=13158 profile="/usr/bin/evince" name="/usr/bin/exo-open" pid=13159 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 - Apr 24 02:29:40 box kernel: [350293.526127] type=1400 audit(1335227380.890:30): apparmor="DENIED" operation="exec" parent=13225 profile="/usr/bin/evince" name="/usr/bin/exo-open" pid=13226 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 + Apr 24 02:22:50 box kernel: [349882.938280] type=1400 audit(1335226970.303:28): apparmor="DENIED" operation="exec" parent=13156 profile="/usr/bin/evince" name="/usr/bin/exo-open" pid=13157 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 + Apr 24 02:23:01 box kernel: [349894.110102] type=1400 audit(1335226981.475:29): apparmor="DENIED" operation="exec" parent=13158 profile="/usr/bin/evince" name="/usr/bin/exo-open" pid=13159 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 + Apr 24 02:29:40 box kernel: [350293.526127] type=1400 audit(1335227380.890:30): apparmor="DENIED" operation="exec" parent=13225 profile="/usr/bin/evince" name="/usr/bin/exo-open" pid=13226 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 ProcEnviron: - TERM=xterm - PATH=(custom, user) - LANG=en_US.UTF-8 - SHELL=/bin/bash - SourcePackage: evince + TERM=xterm + PATH=(custom, user) + LANG=en_US.UTF-8 + SHELL=/bin/bashSourcePackage: evince UpgradeStatus: No upgrade log present (probably fresh install) ** Changed in: apparmor (Ubuntu Precise) Assignee: (unassigned) => Micah Gersten (micahg) ** Description changed: - Applications aren't able to use exo-open in Xubuntu with apparmor. + Applications aren't able to use exo-open in Xubuntu with apparmor + profiles enabled. Test case: Open PDF with a link in it under Xubuntu Click the link Should fail with the current versions of evince/apparmor and work with the new versions - Regression potential: - minimal as this should just enable exo usage in apparmor + minimal as this should just enable exo usage with apparmor profiles -- Using a fresh install of Xubuntu 12.04 beta, I can not open links from within evince. A red bar appears on top and says : "Unable to open external link" "Failed to execute child process "exo-open" (Permission denied)" I suppose this is due to a bad configuration of AppArmor. ProblemType: BugDistroRelease: Ubuntu 12.04 Package: evince 3.4.0-0ubuntu1 ProcVersionSignature: Ubuntu 3.2.0-23.36-generic 3.2.14 Uname: Linux 3.2.0-23-generic x86_64 ApportVersion: 2.0.1-0ubuntu5 Architecture: amd64 Date: Tue Apr 24 02:40:31 2012 EcryptfsInUse: Yes InstallationMedia: Xubuntu 12.04 LTS "Precise Pangolin" - Beta amd64 (20120328) KernLog: Apr 24 02:22:50 box kernel: [349882.938280] type=1400 audit(1335226970.303:28): apparmor="DENIED" operation="exec" parent=13156 profile="/usr/bin/evince" name="/usr/bin/exo-open" pid=13157 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 Apr 24 02:23:01 box kernel: [349894.110102] type=1400 audit(1335226981.475:29): apparmor="DENIED" operation="exec" parent=13158 profile="/usr/bin/evince" name="/usr/bin/exo-open" pid=13159 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 Apr 24 02:29:40 box kernel: [350293.526127] type=1400 audit(13
[Bug 987578] Re: Evince is not allowed to use exo-open
Attached is a debdiff for this issue and for bug 982619 and bug 1091642 for an SRU for precise. I've confirmed that the package rebuilds correctly via sbuild and that the result passes the apparmor tests from lp:qa-regression-testing. ** Patch added: "apparmor_2.7.102-0ubuntu3.8.debdiff" https://bugs.launchpad.net/ubuntu/+source/evince/+bug/987578/+attachment/3499287/+files/apparmor_2.7.102-0ubuntu3.8.debdiff -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
** Also affects: evince (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Precise) Importance: Undecided Status: New ** Changed in: evince (Ubuntu Precise) Status: New => In Progress ** Changed in: evince (Ubuntu Precise) Assignee: (unassigned) => Micah Gersten (micahg) ** Changed in: evince (Ubuntu Precise) Milestone: None => ubuntu-12.04.2 ** Changed in: apparmor (Ubuntu Precise) Milestone: None => ubuntu-12.04.2 ** Changed in: apparmor (Ubuntu Precise) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
My default browser is SeaMonkey and I am still experiencing a permissions issue. ~$ cat /etc/apparmor.d/local/usr.bin.evince # Site-specific additions and overrides for usr.bin.evince. # For more details, please see /etc/apparmor.d/local/README. /usr/bin/exo-open ixr, /usr/lib/i386-linux-gnu/xfce4/exo-1/exo-helper-1 ixr, /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r, /etc/xdg/xfce4/helpers.rc r, ~$ Clicking a hyperlink in evince get this error. Failed to execute default Web Browser. Failed to execute child process "seamonkey" (Permission denied). -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
This bug was fixed in the package evince - 3.5.3-0ubuntu5 --- evince (3.5.3-0ubuntu5) quantal; urgency=low * debian/apparmor-profile: allow evince to launch the browser on Xubuntu. Fix thanks to Mark Ramsell (LP: #987578) -- Jamie StrandbogeThu, 05 Jul 2012 13:12:14 -0500 ** Branch linked: lp:ubuntu/apparmor ** Changed in: evince (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
** Changed in: evince (Ubuntu) Status: Triaged => In Progress ** Changed in: evince (Ubuntu) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
This bug was fixed in the package apparmor - 2.8.0-0ubuntu1 --- apparmor (2.8.0-0ubuntu1) quantal; urgency=low * New upstream release - Drop the following patches, now included upstream: 0003-add-aa-easyprof.patch 0005-clean-common-from-vim.patch 0006-use-linux-capability-h.patch 0008-apparmor-lp963756.patch 0009-apparmor-lp959560-part1.patch 0010-apparmor-lp959560-part2.patch 0011-apparmor-lp872446.patch 0012-apparmor-lp978584.patch 0013-apparmor-lp800826.patch 0014-apparmor-lp979095.patch 0015-apparmor-lp963756.patch 0016-apparmor-lp968956.patch 0017-apparmor-lp979135.patch 0018-lp990931.patch * Rename 0007-ubuntu-manpage-updates.patch to 0003 * debian/patches/0005-lp1019274.patch: add python3 support. Patch based on work from Dmitrijs Ledkovs. (LP: #1019274) * debian/patches/0006-cap-epollwakeup.patch: adjust severity.db for CAP_EPOLLWAKEUP * debian/patches/0007-setuptools-python3.patch: adjust setuptools-python3 to adjust scripts to use PYTHON if it is defined * debian/patches/0008-libapparmor-layout-deb.patch: use --install-layout=deb when calling setup.py * enable python3 in the build: - debian/rules: + use python3 as default PYTHON + build libapparmor with both python2 and python3 - debian/control: + Build-Depends on python3-all-dev and python3 + adjust apparmor to Depends on ${python3:Depends} + adjust apparmor-utils to Depends on ${python3:Depends} + add python3-libapparmor package - add debian/python3-libapparmor.install - debian/python-libapparmor.install: adjust to use python2 and dist-packages * debian/patches/0009-lp1003856.patch: update ubuntu-browsers.d/java for IcedTea 7 (LP: #1003856) * debian/patches/0010-lp972367.patch: allow software center to work again from browsers (LP: #972367) * debian/patches/0011-lp1013887.patch: let sanitized helper work with /usr/local. Patch based on work by Reuben Thomas. (LP: #1013887) * debian/patches/0012-lp964510.patch: allow Google Chrome and chromium-browser to work under sanitized helper (LP: #964510) * debian/patches/0013-lp987578.patch: ubuntu-integration does not work properly with exo-open. Fix thanks to Mark Ramsell (LP: #987578) * debian/patches/0014-lp933440.patch: update skype example profile to work with latest skype. Based on work by Ivan Frederiks (LP: #933440) -- Jamie StrandbogeThu, 05 Jul 2012 10:53:17 -0500 ** Changed in: apparmor (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
** Changed in: apparmor (Ubuntu) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
Modified fix to x64 (/usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1) and it appared to work, but hit bug #964510 before i could confirm. No comment/knowledge on security implications. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
Mark's update looks reasonable to me. Can others experiencing this issue confirm? -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
System is Linux 3.2.0-25-generic #40-Ubuntu SMP Wed May 23 20:33:05 UTC 2012 i686 i686 i386 GNU/Linux Xubuntu 12.04 Stepped through all the DENIED errors and came up with this... # Site-specific additions and overrides for usr.bin.evince. # For more details, please see /etc/apparmor.d/local/README. /usr/bin/exo-open ixr, /usr/lib/i386-linux-gnu/xfce4/exo-1/exo-helper-1 ixr, /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r, /etc/xdg/xfce4/helpers.rc r, I believe this is restrictive enough but would like someone to confirm. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
The security implication of using '/usr/bin/exo-open Ux' is that if there is a flaw in evince, an attacker can execute anything via exo- open. This is not the proper fix. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
Adding the following line to /etc/apparmor.d/local/usr.bin.evince seems to fix the bug: /usr/bin/exo-open Ux, (i.e. Ux instead of ixr) I do not know the security implications of this, but at least links in evince seem to work again. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
Thanks Jamie! I foolishly searched under "evince" rather than "apparmor". Ignore my off-topic comment. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
tnhh, your problem is bug #964510 -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 987578] Re: Evince is not allowed to use exo-open
I have the same problem with Ubuntu and chromium-browser. /var/log/syslog says May 1 12:17:13 theakston kernel: [100752.649693] type=1400 audit(1335871033.942:36): apparmor="DENIED" operation="file_mmap" parent=28630 profile="/usr/bin/evince//sanitized_helper" name="/lib/x86_64-linux-gnu/libpthread-2.15.so" pid=28635 comm="chromium-browse" requested_mask="m" denied_mask="m" fsuid=0 ouid=0 For now I have just done ln -s /etc/apparmor.d/usr.bin.evince /etc/apparmor.d/disable/usr.bin.evince -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/987578 Title: Evince is not allowed to use exo-open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/987578/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs