Bug 4468 - Evince (and possibly other programs) doesn't work in a remote Ubuntu session
Summary: Evince (and possibly other programs) doesn't work in a remote Ubuntu session
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Server OS (show other bugs)
Version: 3.4.0
Hardware: PC Linux Ubuntu
: P2 Normal
Target Milestone: 4.1.0
Assignee: Pierre Ossman
Keywords: derfian_tester
Depends on:
Reported: 2012-11-08 13:45 CET by Aaron Sowry
Modified: 2013-05-20 16:17 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:


Description Aaron Sowry cendio 2012-11-08 13:45:54 CET
I assume this is something to do with AppArmor. From "strace evince":

open("/var/opt/thinlinc/sessions/aaron/1/Xauthority", O_RDONLY) = -1 EACCES (Permission denied)

Perhaps the installer should configure AppArmor too, in the same way we do for SELinux, but I imagine this would require editing system files. If we don't want to do this, then we should at least add something to Platform Specific Notes.
Comment 1 Peter Åstrand cendio 2012-11-13 11:19:08 CET
Confirmed with a standard Ubuntu 12.04 installation. Found this upstream bug:


Unfortunately RESOLVED NOTABUG. It is indeed an AppArmor thing. Stupid if you ask me... Wrt configuration, there's a file:


...that only allows these files:

  # .Xauthority files required for X connections, per user
  @{HOME}/.Xauthority           r,
  owner /{,var/}run/gdm/*/database r,
  owner /{,var/}run/lightdm/authority/[0-9]* r,

This "abstration" is used by:


The gnome abstraction is used by:


Thus, fortunately, it seems like Evince is basically the only problematic program. Whee, this gives SO much more security! 

I guess we could ask them to include /var/opt/thinlinc/... in the default configuration...
Comment 2 Peter Åstrand cendio 2012-11-13 11:31:31 CET
By adding this line to /etc/apparmor.d/abstractions/X:

  owner /{,var/}opt/thinlinc/sessions/*/*/Xauthority r,

...evince actually "starts". However, it looks like shit, and writes this to the console:

(evince:13833): GRIP-WARNING **: failed to determine device types

(evince:13833): GRIP-WARNING **: Failed to initialize gesture manager.

(evince:13833): GRIP-WARNING **: Failed to initialize gesture manager.

It's not even possible to close the application. This does not help either:

# mv /etc/apparmor.d/usr.bin.evince /etc/apparmor.d/disable/

I'd say that this is FUBAR.
Comment 3 Patrik Pira 2012-12-12 08:18:15 CET
In my opinion the best workaround is to reconfigure apparmor with an "additional home", 

sudo dpkg-reconfigure apparmor

specify /var/opt/thinlinc/sessions/ as an "additional home".

Everything works. Maybe document this as a workaround?
Comment 4 Aaron Sowry cendio 2013-02-04 14:02:17 CET
(In reply to comment #3)
> In my opinion the best workaround is to reconfigure apparmor with an
> "additional home", 

I'm leaning towards this solution too - AFAICT, any automated solution involves modifying system files, which is not a good idea IMO. Perhaps we can simply document this workaround in Platform Specific Notes.
Comment 5 Aaron Sowry cendio 2013-02-04 15:51:46 CET
Workaround added to Platform Specific Notes in r26497.
Comment 6 Aaron Sowry cendio 2013-02-05 15:03:51 CET
Vetoed - we've decided to keep investigating additional possible solutions to this issue.
Comment 7 Pierre Ossman cendio 2013-04-24 13:38:34 CEST
AppArmor sucks royally. I cannot see any proper way of extending the existing policy ("local/" is for the administrator, and is not guaranteed to be used).

There is a tunables/home.d that seems open for abuse though. We might be able to drop the necessary policy changes in there. Not really what that directory is supposed to be used for, but I don't see any other options.
Comment 8 Pierre Ossman cendio 2013-04-24 14:44:59 CEST
Bah. home.d is included in the preamble, so we cannot add any rules there. The only thing we can do is modify variables. So we can automate the workaround in comment 3, but not much else.
Comment 9 Pierre Ossman cendio 2013-04-24 15:08:50 CEST
tl-setup was modified to configure this for the administrator in r27172.

Tester should remove the old information on the web during the test period.
Comment 10 Aaron Sowry cendio 2013-04-29 10:04:43 CEST
The apparmor module is not shipping.
Comment 11 Aaron Sowry cendio 2013-04-29 10:10:40 CEST
Also, error on line 197 of apparmor.py.
Comment 12 Pierre Ossman cendio 2013-04-29 16:47:35 CEST
Comment 13 Karl Mikaelsson cendio 2013-05-20 16:17:42 CEST
> open("/var/opt/thinlinc/sessions/cendio/1/Xauthority", O_RDONLY) = 7

Didn't have any problems with the AppArmor install on 12.04 and Evince starts up nicely. Calling this one done, solved and closed.

Note You need to log in before you can comment on or make changes to this bug.