On 14/11/2016 00:32, Kornel Benko wrote:
(I had to rename it, because /usr/local is symbolic link to /usr9/local)
Also the file name is now usr9.local.bin.lyxwrap2.3 and the content has 'usr9'
too.
yeah, that's the issue then...
but still the /tmp/ssh.tar.gz is created. But now
#/usr/local/bin/lyxwrap2.3 touch ~/ssh.tar.gz
is denied, as is also
#/usr/local/bin/lyxwrap2.3 rm ~/ssh.tar.gz
I think my patch is wrapping everything for now, so I expect any CVS/SVN/GIT
operation to fail, if I forbid access to ~/.ssh! However, I'll double-check
exactly what to wrap and what not.
Now, what should be done with the symbolic links?
Nice question, depends on how your system set-up actually is.
AFAIU, you have a similar problem to
https://bugs.launchpad.net/apparmor/+bug/1485055
namely, you SHOULD have a system-wide solution in place within
/etc/apparmor.d/tunables/alias:
alias /usr/local -> /usr9/local
(and your lyxwrap profile should be OK with /usr/local/bin/lyxwrap2.3, no
need for /usr9...)
which is peculiar to your own system (guess you moved /usr/local yourself,
didn't you? HD partition space issues?)
When installing system-wide, it should go into /usr/bin/..., which hopefully is
not a symlink to smth else (yet), but in case it symlinks to /usr9/bin..., the
remedy should be similar ;-).
Pls, confirm whether you see LyX working properly, and preventing execution of scripts
as expected vs allowing for conversion of harmless images etc... (would be super if you
could play with the 2 new options in the Preferences->File
Handling->Converters->Security, check/uncheck, wipe .lyx/cache/, try again etc...)
Thanks,
T.
