Bug 4468 - Evince (and possibly other programs) doesn't work in a remote Ubuntu session
: Evince (and possibly other programs) doesn't work in a remote Ubuntu session
: ThinLinc
Server OS
: 3.4.0
: PC Linux Ubuntu
: P2 Normal
: 4.1.0
Assigned To:
  Show dependency treegraph
Reported: 2012-11-08 13:45 by
Modified: 2013-05-20 16:17 (History)



You need to log in before you can comment on or make changes to this bug.

Description From cendio 2012-11-08 13:45:54
I assume this is something to do with AppArmor. From "strace evince":

open("/var/opt/thinlinc/sessions/aaron/1/Xauthority", O_RDONLY) = -1 EACCES
(Permission denied)

Perhaps the installer should configure AppArmor too, in the same way we do for
SELinux, but I imagine this would require editing system files. If we don't
want to do this, then we should at least add something to Platform Specific
------- Comment #1 From cendio 2012-11-13 11:19:08 -------
Confirmed with a standard Ubuntu 12.04 installation. Found this upstream bug:


Unfortunately RESOLVED NOTABUG. It is indeed an AppArmor thing. Stupid if you
ask me... Wrt configuration, there's a file:


...that only allows these files:

  # .Xauthority files required for X connections, per user
  @{HOME}/.Xauthority           r,
  owner /{,var/}run/gdm/*/database r,
  owner /{,var/}run/lightdm/authority/[0-9]* r,

This "abstration" is used by:


The gnome abstraction is used by:


Thus, fortunately, it seems like Evince is basically the only problematic
program. Whee, this gives SO much more security! 

I guess we could ask them to include /var/opt/thinlinc/... in the default
------- Comment #2 From cendio 2012-11-13 11:31:31 -------
By adding this line to /etc/apparmor.d/abstractions/X:

  owner /{,var/}opt/thinlinc/sessions/*/*/Xauthority r,

...evince actually "starts". However, it looks like shit, and writes this to
the console:

(evince:13833): GRIP-WARNING **: failed to determine device types

(evince:13833): GRIP-WARNING **: Failed to initialize gesture manager.

(evince:13833): GRIP-WARNING **: Failed to initialize gesture manager.

It's not even possible to close the application. This does not help either:

# mv /etc/apparmor.d/usr.bin.evince /etc/apparmor.d/disable/

I'd say that this is FUBAR.
------- Comment #3 From 2012-12-12 08:18:15 -------
In my opinion the best workaround is to reconfigure apparmor with an
"additional home", 

sudo dpkg-reconfigure apparmor

specify /var/opt/thinlinc/sessions/ as an "additional home".

Everything works. Maybe document this as a workaround?
------- Comment #4 From cendio 2013-02-04 14:02:17 -------
(In reply to comment #3)
> In my opinion the best workaround is to reconfigure apparmor with an
> "additional home", 

I'm leaning towards this solution too - AFAICT, any automated solution involves
modifying system files, which is not a good idea IMO. Perhaps we can simply
document this workaround in Platform Specific Notes.
------- Comment #5 From cendio 2013-02-04 15:51:46 -------
Workaround added to Platform Specific Notes in r26497.
------- Comment #6 From cendio 2013-02-05 15:03:51 -------
Vetoed - we've decided to keep investigating additional possible solutions to
this issue.
------- Comment #7 From cendio 2013-04-24 13:38:34 -------
AppArmor sucks royally. I cannot see any proper way of extending the existing
policy ("local/" is for the administrator, and is not guaranteed to be used).

There is a tunables/home.d that seems open for abuse though. We might be able
to drop the necessary policy changes in there. Not really what that directory
is supposed to be used for, but I don't see any other options.
------- Comment #8 From cendio 2013-04-24 14:44:59 -------
Bah. home.d is included in the preamble, so we cannot add any rules there. The
only thing we can do is modify variables. So we can automate the workaround in
comment 3, but not much else.
------- Comment #9 From cendio 2013-04-24 15:08:50 -------
tl-setup was modified to configure this for the administrator in r27172.

Tester should remove the old information on the web during the test period.
------- Comment #10 From cendio 2013-04-29 10:04:43 -------
The apparmor module is not shipping.
------- Comment #11 From cendio 2013-04-29 10:10:40 -------
Also, error on line 197 of apparmor.py.
------- Comment #12 From cendio 2013-04-29 16:47:35 -------
------- Comment #13 From cendio 2013-05-20 16:17:42 -------
> open("/var/opt/thinlinc/sessions/cendio/1/Xauthority", O_RDONLY) = 7

Didn't have any problems with the AppArmor install on 12.04 and Evince starts
up nicely. Calling this one done, solved and closed.