Re: Getting point-and-click working

[Andrew Bernard]

Hi All,

I am following the same track today.

Can I add a discovery, and a different issue on my Ubuntu 18.10?

The discovery is that the /etc/apparmor.d/local directory exists to allow local modifications and add-ons to files in the /etc/apparmor.d directory. At the end of /etc/apparmor.d/usr.bin.evince are the following lines:

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.bin.evince>

You need to uncomment the include line out so that the local file gets taken account of. Then run apparmor_parser on the top level file.

Also restart apparmor:

# /etc/init.d/apparmor restart

just for good measure (I am not sure if this is essential).

I hope this makes sense of part of the foregoing thread.

But now, for me on Ubuntu 18.10, the problem is solved but it has moved further down the track. Observing /var/log/syslog is useful for debugging this work. We get:

Feb 23 23:41:30 ubu1810 kernel: [  420.450790] audit: type=1400 audit(1550925690.952:84): apparmor="DENIED" operation="exec" profile="" name="/home/andro/bin/lilypond-wrapper.guile" pid=3532 comm="gio-launch-desk" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000

So now you can see that the next lilypond wrapper down the line is blocked.

I know very little about apparmor. Does anybody know the appropriate incantation to sort this out?

Andrew

On Mon, 11 Feb 2019 at 00:43, David Sumbler <address@hidden> wrote:

Thank you all for your help in this matter.

Today I have point-and-click working as it should, with AppArmor
apparently doing what it is supposed to do.

What made the difference was the following:

The Usage Manual 4.1.1 says that the lines
        # For Textedit links
        /usr/local/bin/lilypond-invoke-editor Cx -> sanitized_helper,
should be added to the file /etc/apparmor.d/local/usr.bin.evince .
This file did not exist, although there are several other files in that
directory, so I had created the file and put just the two lines above
in it.  Unfortunately, as I reported, point-and-click didn't work for
me.

With the difficulties I was having, yesterday I disabled AppArmor for
Evince by adding a soft link to /etc/apparmor.d/usr.bin.evince in
/etc/apparmor.d/disable/ .  This is what made point-and-click work
eventually for me yesterday.

However, following your latest emails to the list on the topic, today I
thought I would have another go.  I deleted the disabling link, and ran
'sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.evince'
 again.  I also ran
'sudo apparmor_parser -r -T -W /etc/apparmor.d/local/usr.bin.evince'.
I don't know whether that needed to be done or not, but I found that it
throws out a syntax error.

So I copied the lines out of the second file and inserted them into the
main usr.bin.evince file.  I then deleted
/etc/apparmor.d/local/usr.bin.evince .

After I ran
'sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.evince'once more, I found that point-and-click works as it should.

I don't pretend to understand what is going on here, but in summary it appears that if the additional lines are added to /etc/apparmor.d/usr.bin.evince rather than to /etc/apparmor.d/local/usr.bin.evince it all works.