Il giorno ven 1 mar 2019 alle 21:14, David Wright
<lily...@lionunicorn.co.uk> ha scritto:
Actually, I think there's an error in your reasoning in the apparmor
section, but I'm unable to test it because I have nothing installed
(that I know of) using these files. You wrote:
Next, edit '/etc/apparmor.d/usr.bin.evince' and uncomment the line:
# Site-specific additions and overrides. See local/README for
details.
include <local/usr.bin.evince>
[It's right at the end.] The local files provide for extending and
adding
information to the base apparmor files without interfering with
them, and
making system upgrades easier.
But I think you've removed a # that should be left in. AIUI in these
apparmor files:
# Site-specific additions and overrides. See local/README for
details.
↑↑ introduced an ordinary comment
#include <local/usr.bin.evince>
↑↑↑↑↑↑↑↑ this is an active include line (think C
pragma)
David, finally I had the chance to test it on a vanilla Ubuntu 18.10.
You are right about the #include syntax. More details here:
http://manpages.ubuntu.com/manpages/cosmic/en/man5/apparmor.d.5.html
I've also verified it, just to be sure.
So the guide by Andrew is incorrect in this part. And also with
reloading configuration: reloading apparmor systemd service is not
necessary; AFAICT apparmor_parser is enough.
The main issues to be fixed (for Usage manual) are:
a. The Usage manual should point out that the lilypond full path in
/etc/apparmor.d/local/usr.bin.evince should be changed according to
your own installation (it's obvious, but you can easily forget it when
you follow detailed instructions which make you "lazy"..).
b. Looking at `journalctl -xe|less` I see that the problem seems to be
the fact that lilypond-invoke-editor is actually a symlink to a script,
which then calls the guile executable distributed in lilypond package.
So we have three files here.
My findings:
1. with Usage manual current configuration I get this error:
mar 15 13:32:01 ubuntu-18 audit[3121]: AVC apparmor="DENIED"
operation="exec" profile="/usr/bin/evince"
name="/home/fede/.local/bin/lilypond-wrapper.guile" pid=3121
comm="gio-launch-desk" requested_mask="x" denied_mask="x" fsuid=1000
ouid=1000
mar 15 13:32:01 ubuntu-18 kernel: audit: type=1400
audit(1552653121.550:40): apparmor="DENIED" operation="exec"
profile="/usr/bin/evince"
name="/home/fede/.local/bin/lilypond-wrapper.guile" pid=3121
comm="gio-launch-desk" requested_mask="x" denied_mask="x" fsuid=1000
ouid=1000
2. Ok, let's try adding lilypond-wrapper.guile (see end of this email).
And I get this:
mar 15 13:55:18 ubuntu-18 audit[3647]: AVC apparmor="DENIED"
operation="exec" profile="/usr/bin/evince//sanitized_helper"
name="/home/fede/.local/lilypond/usr/bin/guile" pid=3647
comm="lilypond-invoke" requested_mask="x" denied_mask="x" fsuid=1000
ouid=1000
mar 15 13:55:18 ubuntu-18 org.gnome.Evince.desktop[1702]:
/home/fede/.local/bin/lilypond-invoke-editor: 6: exec:
/home/fede/.local/lilypond/usr/bin/guile: Permission denied
mar 15 13:55:18 ubuntu-18 kernel: audit: type=1400
audit(1552654518.540:118): apparmor="DENIED" operation="exec"
profile="/usr/bin/evince//sanitized_helper"
name="/home/fede/.local/lilypond/usr/bin/guile" pid=3647
comm="lilypond-invoke" requested_mask="x" denied_mask="x" fsuid=1000
ouid=1000
3. Ok, let's add also ...usr/bin/guile and I get this:
mar 15 13:57:49 ubuntu-18 audit[3678]: AVC apparmor="DENIED"
operation="exec" profile="/usr/bin/evince//sanitized_helper"
name="/home/fede/.local/lilypond/usr/bin/guile" pid=3678
comm="lilypond-invoke" requested_mask="x" denied_mask="x" fsuid=1000
ouid=1000
mar 15 13:57:49 ubuntu-18 org.gnome.Evince.desktop[1702]:
/home/fede/.local/bin/lilypond-invoke-editor: 6: exec:
/home/fede/.local/lilypond/usr/bin/guile: Permission denied
mar 15 13:57:49 ubuntu-18 kernel: audit: type=1400
audit(1552654669.399:124): apparmor="DENIED" operation="exec"
profile="/usr/bin/evince//sanitized_helper"
name="/home/fede/.local/lilypond/usr/bin/guile" pid=3678
comm="lilypond-invoke" requested_mask="x" denied_mask="x" fsuid=1000
ouid=1000
Same error as in point 2.
Perhaps there's another way usr/bin/guile should be enabled.
Hopefully Ubuntu or OpenSUSE users (where Apparmor is enabled by
default) can shed some light on this.
This is my current configuration:
fede@ubuntu-18:~$ which lilypond
/home/fede/.local/bin/lilypond
fede@ubuntu-18:~$ cat /etc/apparmor.d/local/usr.bin.evince
# For Textedit links
/home/fede/.local/bin/lilypond-invoke-editor Cx -> sanitized_helper,
/home/fede/.local/bin/lilypond-wrapper.guile Cx -> sanitized_helper,
/home/fede/.local/lilypond/usr/bin/guile Cx -> sanitized_helper,
_______________________________________________
lilypond-user mailing list
lilypond-user@gnu.org
https://lists.gnu.org/mailman/listinfo/lilypond-user
