Re: Debian 11: evince and apparmor flood kernel log
On Sat 18 Sep 2021 at 08:43:50 (-0400), Greg Wooledge wrote: > On Sat, Sep 18, 2021 at 12:54:36PM +0200, Roger Price wrote: > > In site.local I found > > > > # The following is a space-separated list of where additional user home > > # directories are stored, each must have a trailing '/'. Directories added > > # here are appended to @{HOMEDIRS}. See tunables/home for details. Eg: > > #@{HOMEDIRS}+=/srv/nfs/home/ /mnt/home/ > > > > where curiously, the apparmor installation seems to have detected my > > non-common /home and made the necessary addition, but appended to a > > commented out example. > > It wasn't "detected". That's the generic site.local file that everyone > has. The commented-out line is provided as an example. > > What you're supposed to do is either: > > (a) Uncomment that last line, and edit it. > > (b) Copy that last line, uncomment the copy, and edit the copy. > > I prefer (b) myself. Yes, it's pretty obvious what's going on if you actually do "See tunables/home for details", because that has the = definition that the += is appending to. But — the last line of that comment above is actually inconsistent with how comments are written in /etc/apparmor* files. It should have a space after the #. #include lines are the only ones that don't. The other files that look wrong are /etc/apparmor.d/tunables/*.d/* and /etc/apparmor.d/tunables{kernelvars,sys}. Cheers, David.
Re: Debian 11: evince and apparmor flood kernel log
On Sat, Sep 18, 2021 at 12:54:36PM +0200, Roger Price wrote: > In site.local I found > > # The following is a space-separated list of where additional user home > # directories are stored, each must have a trailing '/'. Directories added > # here are appended to @{HOMEDIRS}. See tunables/home for details. Eg: > #@{HOMEDIRS}+=/srv/nfs/home/ /mnt/home/ > > where curiously, the apparmor installation seems to have detected my > non-common /home and made the necessary addition, but appended to a > commented out example. It wasn't "detected". That's the generic site.local file that everyone has. The commented-out line is provided as an example. What you're supposed to do is either: (a) Uncomment that last line, and edit it. (b) Copy that last line, uncomment the copy, and edit the copy. I prefer (b) myself.
Re: Debian 11: evince and apparmor flood kernel log
On Sat, 18 Sep 2021, Klaus Singvogel wrote: Roger Price wrote: In Debian 11, evince has an appamor profile which floods the kernel log with hundreds of messages of the style: Not only at Debian 11, even Debian 10 has it. [...] (evince:2869): GVFS-WARNING **: 22:18:18.510: can't init metadata tree /mnt/home/rprice/.local/share/gvfs-metadata/home: open: Permission denied [...] Is there some way of calming evince+appamor? The location of your home is uncommon (as on my side). Fix: edit /etc/apparmor.d/tunables/home.d/site.local In site.local I found # The following is a space-separated list of where additional user home # directories are stored, each must have a trailing '/'. Directories added # here are appended to @{HOMEDIRS}. See tunables/home for details. Eg: #@{HOMEDIRS}+=/srv/nfs/home/ /mnt/home/ where curiously, the apparmor installation seems to have detected my non-common /home and made the necessary addition, but appended to a commented out example. I added line /mnt/home/ and tried to restart apparmor.service. This failed with error messages such as Sep 18 12:08:33 titan apparmor.systemd[5150]: AppArmor parser error for /etc/apparmor.d/lsb_release in /etc/apparmor.d/tunables/multiarch at line 13: syntax error Sep 18 12:08:33 titan apparmor.systemd[5154]: AppArmor parser error for /etc/apparmor.d/nvidia_modprobe in /etc/apparmor.d/tunables/multiarch at line 13: syntax error So I tried replacing @{HOMEDIRS}=/home/ with @{HOMEDIRS}=/mnt/home/ in file /etc/apparmor.d/tunables/home I restarted apparmor.service and some light testing shows that the problem is solved. My error in site.local was probably to have added /mnt/home and not @{HOMEDIRS}+=/mnt/home Thanks to all who responded! Roger
Re: Debian 11: evince and apparmor flood kernel log
Roger Price wrote: > In Debian 11, evince has an appamor profile which floods the kernel log with > hundreds of messages of the style: Not only at Debian 11, even Debian 10 has it. [...] > (evince:2869): GVFS-WARNING **: 22:18:18.510: can't init metadata tree > /mnt/home/rprice/.local/share/gvfs-metadata/home: open: Permission denied [...] > Is there some way of calming evince+appamor? The location of your home is uncommon (as on my side). Fix: edit /etc/apparmor.d/tunables/home.d/site.local Best regards, Klaus. -- Klaus Singvogel GnuPG-Key-ID: 1024R/5068792D 1994-06-27
Re: Debian 11: evince and apparmor flood kernel log
Hi. On Fri, Sep 17, 2021 at 10:54:32PM +0200, Roger Price wrote: > I solved the problem by switching to mupdf, but mupdf is not as complete as > evince. It's customary to add "YMMV" to such statements. Just saying. > Is there some way of calming evince+appamor? Pick whatever suits you: Quick-and-dirty, but wrong way (apparmor is good, do not disable it unless you know what you're doing): /usr/sbin/aa-disable /usr/bin/evince Easy, but wrong way (aa-logprof is only good for user-defined profiles, and you *will* get complicated upgrades): aa-logprof # accept whatever the thing will show you A correct way, but it may require more than one iteration: echo '/mnt/home/rprice/.local/share/gvfs-metadata/home r,' >> /etc/apparmor.d/local/usr.bin/evince aa-complain /usr/bin/evince aa-enforce /usr/bin/evince Reco
Debian 11: evince and apparmor flood kernel log
In Debian 11, evince has an appamor profile which floods the kernel log with hundreds of messages of the style: [24216.325764] audit: type=1400 audit(1631892398.580:255): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/mnt/home/rprice/.local/share/gvfs-metadata/home" pid=2229 comm="pool-evince" requested_mask="r" denied_mask="r" fsuid=2108 ouid=2108 and floods the console with messages such as (evince:2869): GVFS-WARNING **: 22:18:18.510: can't init metadata tree /mnt/home/rprice/.local/share/gvfs-metadata/home: open: Permission denied ** (evince:2869): WARNING **: 22:18:18.510: Error setting file metadata: can’t open metadata tree Command ls -l /mnt/home/rprice/.local/share/gvfs-metadata/home reports -rw--- 1 rprice cs-users 800 Aug 18 10:48 /mnt/home/rprice/.local/share/gvfs-metadata/home Quoting file /etc/apparmor.d/usr.bin.evince: # evince is not written with application confinement in mind and is designed to # operate within a trusted desktop session where anything running within the # user's session is trusted. I solved the problem by switching to mupdf, but mupdf is not as complete as evince. Is there some way of calming evince+appamor? Roger