Public bug reported:
Description: Ubuntu 14.04.1 LTS
apt-cache policy evince evince-common
evince:
Installed: 3.10.3-0ubuntu10.1
Candidate: 3.10.3-0ubuntu10.1
Version table:
*** 3.10.3-0ubuntu10.1 0
500 http://dk.archive.ubuntu.com/ubuntu/ trusty-updates/main i386
Packages
100 /var/lib/dpkg/status
3.10.3-0ubuntu10 0
500 http://dk.archive.ubuntu.com/ubuntu/ trusty/main i386 Packages
evince-common:
Installed: 3.10.3-0ubuntu10.1
Candidate: 3.10.3-0ubuntu10.1
Version table:
*** 3.10.3-0ubuntu10.1 0
500 http://dk.archive.ubuntu.com/ubuntu/ trusty-updates/main i386
Packages
100 /var/lib/dpkg/status
3.10.3-0ubuntu10 0
500 http://dk.archive.ubuntu.com/ubuntu/ trusty/main i386 Packages
There are a few issues here. The main problem is that the Evince apparmor
settings does not honor site wide dconf settings as described in dconf(7). I'm
currently preparing a multiuser setup where we need some site wide
configurations, one of which affects Evince.
Problem (1): As described in dconf(7) system wide settings can be made
by creating and editing /etc/dconf/profile/user, which will be read if
it exists. However if we do
echo 'user-db:user' | sudo tee -a /etc/dconf/profile/user
sudo dconf update
evince
We get the following warning
(evince:9145): dconf-WARNING **: Unable to open /etc/dconf/profile/user:
Permission denied
and the following message in SYSLOG
kernel: [ 1129.931888] type=1400 audit(1407843498.164:65):
apparmor="DENIED" operation="open" profile="/usr/bin/evince"
name="/etc/dconf/profile/user" pid=9145 comm="evince" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0
Indeed if we search through all files in /etc/apparmod.d , /etc/dconf is
not mentioned anywhere.
Possible solution: Add
/etc/dconf/** r,
to /etc/apparmor.d/abscractions/evince (I've added it at the end of the
/etc/ list already there), and run
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.evince
Then there are no complaints anymore
Problem (2): Again reading dconf(7) it is recommended to change the
settigns if /home is NFS mounted. Thus in /etc/dconf/profile/user we
should replace /user-db:user' by 'service-db:keyfile/user'
This causes a new permission denied problem. Remember to run 'sudo dconf
update' and log out and ind again.
(evince:19187): dconf-WARNING **: unable to open file '/run/user/1000
/dconf-service/keyfile/user': Failed to open file '/run/user/1000/dconf-
service/keyfile/user': open() failed: Permission denied; expect degraded
performance
from syslog:
kernel: [ 5430.597984] type=1400 audit(1407848788.264:81):
apparmor="DENIED" operation="open" profile="/usr/bin/evince"
name="/run/user/1000/dconf-service/keyfile/user" pid=19188
comm=64636F6E6620776F726B6572 requested_mask="r" denied_mask="r"
fsuid=1000 ouid=1000
The apparmor files does mention '/run/user/' (in usr.bin.evince):
# Maybe add to an abstraction?
owner /{,var/}run/user/*/dconf/ w,
owner /{,var/}run/user/*/dconf/user rw,
however, this does not match 'dconf-service'. One can fix this by adding
owner /{,var/}run/user/*/dconf-service/keyfile/ w,
owner /{,var/}run/user/*/dconf-service/keyfile/user rw,
to /etc/apparmor.d/abstractions/evince (I added them right after the
other 'owner' lines at the top
** Affects: evince (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1355804
Title:
Evince apparmor settings not allowing sitewide dconf changes
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1355804/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
