can you look in dmesg or kern.log for the actual apparmor denial?
> I have absolutely no idea what "ixr"
allow r (read) permission
allow ix == on eXecute inherit the current profile
an exec permission can specify different options that should be taken,
inherit the current profile, transition to
Hi,
This bug is back in Document Viewer/Evince(*) 3.36.7, at least under
Linux Mint 20 Ulyana.
Apparently, evince does not try to use exo-open anymore, but launches firefox
directly (or via a sh shell?!?!) :{
I get error: "sh: 1: exec: firefox: Operation not permitted"
I've tried the trick
apparmor 2.7.102-0ubuntu3.8 has been superceded by apparmor
2.7.102-0ubuntu3.9 in -proposed and needs new verification.
** Tags removed: verification-done
** Tags added: verification-needed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed
This bug was fixed in the package apparmor - 2.7.102-0ubuntu3.8
---
apparmor (2.7.102-0ubuntu3.8) precise-proposed; urgency=low
* 0022-aa-logprof-PUx_rewrite_fix-lp982619.patch: fix aa-logprof
rewrite of PUx modes (LP: #982619)
* 0023-lp1091642-parser-reset_matchflags.patch:
** Tags removed: verification-needed
** Tags added: verification-done
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/987578
Title:
Evince is not allowed to use exo-open
Status in
See also https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1214979
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/987578
Title:
Evince is not allowed to use exo-open
Status in
I have re-tested this problem with the benefit of clarity of time. :)
I have verified that the AppArmor policy changes in the apparmor package
in precise-proposed behave as desired, without DENIED entries, for using
exo-open as the application helper.
I have verified that evince is able to open
** Branch linked: lp:~kees/apparmor/debian
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/987578
Title:
Evince is not allowed to use exo-open
Status in “apparmor” package in Ubuntu:
Can someone verify this on precise?
I can't replicate the failure of the AppArmor test case here.
I installed the xfce4 package. I logged in using the xfce4 environment.
I downloaded a PDF and a PNG in Firefox, double-clicked them from the
Downloads window (right-click no longer contains open),
** Branch linked: lp:ubuntu/precise-proposed/apparmor
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/987578
Title:
Evince is not allowed to use exo-open
Status in “apparmor” package
Hello Wannes, or anyone else affected,
Accepted apparmor into precise-proposed. The package will build now and
be available at
http://launchpad.net/ubuntu/+source/apparmor/2.7.102-0ubuntu3.8 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
This bug was fixed in the package evince - 3.4.0-0ubuntu1.5
---
evince (3.4.0-0ubuntu1.5) precise-proposed; urgency=low
* debian/apparmor-profile: allow evince to launch the browser on Xubuntu.
Fix thanks to Mark Ramsell (LP: #987578)
-- Micah Gersten mic...@ubuntu.com Thu,
** Tags removed: verification-needed
** Tags added: verification-done
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/987578
Title:
Evince is not allowed to use exo-open
Status in
I can confirm, that evince 3.4.0-0ubuntu1.5 from precise-proposed fixes
the issue for me.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/987578
Title:
Evince is not allowed to use
Hello Wannes, or anyone else affected,
Accepted evince into precise-proposed. The package will build now and be
available at http://launchpad.net/ubuntu/+source/evince/3.4.0-0ubuntu1.5
in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See
Brian. Thank you so much. From what I can see here, it seems to work
now. Links launch successfully.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/987578
Title:
Evince is not allowed
** Branch linked: lp:ubuntu/precise-proposed/evince
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/987578
Title:
Evince is not allowed to use exo-open
Status in “apparmor” package in
These are uploaded, but since they're not critical for 12.04.2, they'll
be reviewed after 12.04.2 is done with.
** Changed in: apparmor (Ubuntu Precise)
Milestone: ubuntu-12.04.2 = None
** Changed in: evince (Ubuntu Precise)
Milestone: ubuntu-12.04.2 = None
--
You received this bug
** Also affects: evince (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: apparmor (Ubuntu Precise)
Importance: Undecided
Status: New
** Changed in: evince (Ubuntu Precise)
Status: New = In Progress
** Changed in: evince (Ubuntu Precise)
Attached is a debdiff for this issue and for bug 982619 and bug 1091642
for an SRU for precise. I've confirmed that the package rebuilds
correctly via sbuild and that the result passes the apparmor tests from
lp:qa-regression-testing.
** Patch added: apparmor_2.7.102-0ubuntu3.8.debdiff
** Description changed:
+ Applications aren't able to use exo-open in Xubuntu with apparmor.
+
+ Test case:
+ Open PDF with a link in it under Xubuntu
+ Click the link
+ Should fail with the current versions of evince/apparmor and work with the
new versions
+
+
** Description changed:
Applications aren't able to use exo-open in Xubuntu with apparmor
profiles enabled.
- Test case:
+ Test case (apparmor):
+ sudo aa-enforce /etc/apparmor.d/usr.bin.firefox
+ Launch firefox
+ Download a file in Firefox
+ Tools - Downloads
+ Right Click and open the
** Changed in: apparmor (Ubuntu Precise)
Assignee: Micah Gersten (micahg) = (unassigned)
** Changed in: evince (Ubuntu Precise)
Assignee: Micah Gersten (micahg) = (unassigned)
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to
My default browser is SeaMonkey and I am still experiencing a
permissions issue.
~$ cat /etc/apparmor.d/local/usr.bin.evince
# Site-specific additions and overrides for usr.bin.evince.
# For more details, please see /etc/apparmor.d/local/README.
/usr/bin/exo-open ixr,
** Changed in: apparmor (Ubuntu)
Status: Triaged = In Progress
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/987578
Title:
Evince is not allowed to use exo-open
Status in
This bug was fixed in the package apparmor - 2.8.0-0ubuntu1
---
apparmor (2.8.0-0ubuntu1) quantal; urgency=low
* New upstream release
- Drop the following patches, now included upstream:
0003-add-aa-easyprof.patch
0005-clean-common-from-vim.patch
** Changed in: evince (Ubuntu)
Status: Triaged = In Progress
** Changed in: evince (Ubuntu)
Assignee: (unassigned) = Jamie Strandboge (jdstrand)
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
This bug was fixed in the package evince - 3.5.3-0ubuntu5
---
evince (3.5.3-0ubuntu5) quantal; urgency=low
* debian/apparmor-profile: allow evince to launch the browser on Xubuntu.
Fix thanks to Mark Ramsell (LP: #987578)
-- Jamie Strandboge ja...@ubuntu.com Thu, 05 Jul 2012
Mark's update looks reasonable to me. Can others experiencing this issue
confirm?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/987578
Title:
Evince is not allowed to use exo-open
Modified fix to x64 (/usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1)
and it appared to work, but hit bug #964510 before i could confirm. No
comment/knowledge on security implications.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to
System is Linux 3.2.0-25-generic #40-Ubuntu SMP Wed May 23 20:33:05 UTC 2012
i686 i686 i386 GNU/Linux
Xubuntu 12.04
Stepped through all the DENIED errors and came up with this...
# Site-specific additions and overrides for usr.bin.evince.
# For more details, please see
The security implication of using '/usr/bin/exo-open Ux' is that if
there is a flaw in evince, an attacker can execute anything via exo-
open. This is not the proper fix.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
Adding the following line to /etc/apparmor.d/local/usr.bin.evince seems to fix
the bug:
/usr/bin/exo-open Ux,
(i.e. Ux instead of ixr)
I do not know the security implications of this, but at least links in
evince seem to work again.
--
You received this bug notification because you are a
I have the same problem with Ubuntu and chromium-browser.
/var/log/syslog says
May 1 12:17:13 theakston kernel: [100752.649693] type=1400
audit(1335871033.942:36): apparmor=DENIED operation=file_mmap parent=28630
profile=/usr/bin/evince//sanitized_helper
tnhh, your problem is bug #964510
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/987578
Title:
Evince is not allowed to use exo-open
Status in “apparmor” package in Ubuntu:
Triaged
Thanks Jamie! I foolishly searched under evince rather than
apparmor. Ignore my off-topic comment.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/987578
Title:
Evince is not allowed
36 matches
Mail list logo
