Evince denied from opening

Status changed to 'Confirmed' because the bug affects multiple users.

I get the feeling this more than just Evince. I think the X profile needs to be updated:

# sudo grep -R Xauthority apparmor.d/*
apparmor.d/abstractions/X: # .Xauthority files required for X connections, per user
apparmor.d/abstractions/X: owner @{HOME}/.Xauthority r,

# dmesg | grep Xauthority | grep -oE 'comm=".*"' | sort | uniq
comm="evince" requested_mask="r" denied_mask="r"
comm="firefox-gtk3" requested_mask="r" denied_mask="r"

Brandon, I think you're right; I'm not sure what decided the .Xauthority files needed to move to somewhere else, but there it is, no longer in your home directory.

Try adding the following line to your /etc/apparmor.d/abstractions/X file:

owner /run/user/*/gdm/Xauthority r,

Then sudo apparmor_parser --replace /etc/apparmor.d/

Thanks

Seth,

Your fix did work for me. Firefox (GTK3) and Evince worked as expected with the AA change. It appears that GDM is what decided where to put the Xauthority file. If I "dpkg-reconfigure gdm" and switch to LightDM then the Xauthority file appears in $HOME again.

This bug was fixed in the package apparmor - 2.9.1-0ubuntu8

---------------
apparmor (2.9.1-0ubuntu8) vivid; urgency=medium

  [ Steve Beattie ]
  * debian/rules: run make check on the libapparmor library
  * add-chromium-browser.patch: add support for chromium policies
    (LP: #1419294)
  * debian/apparmor.{init,upstart}: add support for triggering
    aa-profile-hook runs when packages are updated via snappy system
    image updates (LP: #1434143)
  * parser-fix_modifier_compilation_+_tests.patch: fix compilation
    of audit modifiers for exec and pivot_root and deny modifiers on
    link rules as well as significantly expand related tests
    (LP: #1431717, LP: #1432045, LP: #1433829)
  * tests-fix_systemd_breakage_in_pivot_root-lp1436109.patch: work
    around pivot_root test failures due to init=systemd (LP: #1436109)
  * GDM_X_authority-lp1432126.patch: add location GDM creates Xauthority
    file to X abstraction (LP: #1432126)

  [ Jamie Strandboge ]
  * easyprof-framework-policy.patch: add --include-templates-dir and
    --include-policy-groups-dir options to easyprof to support framework
    policy on snappy

  [ Robie Basak ]
  * Add /lib/apparmor/profile-load; moved from
    /lib/init/apparmor-profile-load from the upstart package. A wrapper at
    the original path is now provided by init-system-helpers. (LP: #1432683)
 -- Jamie Strandboge <email address hidden> Sat, 28 Mar 2015 07:22:30 -0500

This was fixed in upstream apparmor in the 2.9.2 release, closing there.

How do I get this fix on Trusty? I'm running apparmor 2.8.95~2430-0ubuntu5.3 with lightdm and thus .Xauthority in my home directory.

Andrew, if you're using lightdm then you've got a different bug. Could you open a new bug with ubuntu-bug apparmor and provide a description of the problem you're having and include the relevant DENIED lines from your logs?

Thanks

That's OK, I worked out what my issue was (moving /home to another volume) and how to fix it: edit /etc/apparmor.d/tunables/home.d/ubuntu and run apparmor_parser --replace /etc/apparmor.d/

I know this was closed quite time time ago, but I'm seeing this show up on Ubuntu 18.04:

Sep 11 14:17:13 bbn-11838 kernel: [275098.499551] audit: type=1400 audit(1536693433.724:1007): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/etc/xdg/mimeapps.list" pid=11797 comm="evince" requested_mask="r" denied_mask="r" fsuid=1832001200 ouid=0

Pardon, I see that it's a different file. I will create a new bug.