On Sat 09 Feb 2019 at 19:03:02 (+0000), David Sumbler wrote: > I tried all the suggestions on the page suggested. Nothing helped > except for completely disabling AppArmor for Evince. The links then > work as intended! > > But it would be preferable, probably, not to do that, so I removed the > disabling link and tried again with the AppArmor files modified as you > suggested. I rebooted and, sad to say, the old problem occurs. > > However, in case you or anyone else can make a further suggestion on > how to get things working even with AppArmor doing its thing, here are > the lines that appear in my /var/log/syslog file when I open a Lilypond > PDF file in Evince, and then click on a link. > > Upon opening the file, I get (in a single line): > > Feb 9 18:11:21 vesta kernel: [ 975.529752] audit: type=1400 > audit(1549735881.448:47): apparmor="DENIED" > operation="open" profile="/usr/bin/evince" > name="/home/david/.local/share/applications/mimeapps.list" pid=3241 > comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 > > When I click on a link in the displayed file, I get: > > Feb 9 18:11:38 vesta kernel: [ 992.243804] audit: type=1400 > audit(1549735898.161:48): apparmor="DENIED" > operation="exec" profile="/usr/bin/evince" > name="/usr/local/bin/lilypond-wrapper.guile" pid=3261 > comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 > > Although all of the other 71 files in ~/.local/share/applications/ have > me as owner and group, the file mimeapps.list has owner and group set > to root. I looked at my partner's computer, which is running Ubuntu > 16.04, and there the corresponding file has owner and group set to the > user, rather than root. (Presumably this is some change made in > Ubuntu, since I don't think I can have done anything to change it.)
Is it possible you accidentally ran the command xdg-mime default lilypond-invoke-editor.desktop x-scheme-handler/textedit with sudo? There's no way root should be owning any files in /home. > So I tried changing the ownership of that file on my computer, and sure > enough, I no longer see an error in the log file when evince is > started. But when I click on a link in the Lilypond file I still get: > > Feb 9 18:34:45 vesta kernel: [ 200.968460] audit: type=1400 > audit(1549737285.711:45): apparmor="DENIED" > operation="exec" profile="/usr/bin/evince" > name="/usr/local/bin/lilypond-wrapper.guile" pid=2507 > comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 > > Clearly I can't sensibly change the ownership of > /usr/local/bin/lilypond-wrapper.guile, and presumably this is the sort > of thing AppArmor is supposed to sort out. I did, however, try adding > a line specifically for this file in > /etc/apparmor.d/local/usr.bin.evince, but it hasn't helped. I too use Debian and, although there are apparmor files dotted around, it doesn't use them here. However, I get the impression that the apparmor files are loaded into the kernel, rather than being used in situ. So I wonder whether, *whenever* you make changes to any of these files, you have to reparse them with apparmor_parser. Did you do that? (I don't know if they're loaded at boot time.) > Meanwhile, I shall go back to disabling AppArmor for Evince, even > though it is probably slightly less than ideal. BTW I think there are a few small wrinkles in the documentation: If you write a file called lilypond-invoke-editor.desktop in a local directory such as /tmp, then you need to run xdg-desktop-menu install /tmp/lilypond-invoke-editor.desktop and not xdg-desktop-menu install ./lilypond-invoke-editor.desktop If you run evince but not Gnome, then gnome-open may not be present, but it may be worth trying xdg-open. I assume (but cannot test) that the lines: # For Textedit links /usr/local/bin/lilypond-invoke-editor Cx -> sanitized_helper, should be adjusted according to where lilypond was installed. (In your case, you happen to have matched its assumption.) Cheers, David. _______________________________________________ lilypond-user mailing list [email protected] https://lists.gnu.org/mailman/listinfo/lilypond-user
