Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Firejail breaks evince printing #2101

Closed
matu3ba opened this issue Aug 30, 2018 · 7 comments
Closed

Firejail breaks evince printing #2101

matu3ba opened this issue Aug 30, 2018 · 7 comments

Comments

@matu3ba
Copy link
Contributor

matu3ba commented Aug 30, 2018

Ubuntu 18.04.1 LTS
firejail version 0.9.56~rc1
GNOME-Dokumentenbetrachter 3.28.2

firejail --noprofile evince does not work as well,
but sudo firecfg --clean makes evince possible to print again.

To that regard uncommenting nodbus makes no difference (for me).
From the issue #1843 or commit 7a37dc3 only
-# blacklist /run/user/*/bus was removed and
+# nodbus added.
Did anybody have issues or can reason about why dbus was not removed in the first place?

@SkewedZeppelin
Copy link
Collaborator

Can you clarify?
Can you run each of the following and confirm whether you can print on not?

firejail /usr/bin/evince
firejail --noprofile /usr/bin/evince
sudo firecfg && sudo -k && evince

@matu3ba
Copy link
Contributor Author

matu3ba commented Aug 30, 2018

The printing dialog opens, however no installed and connected printer device is found.
Running neither of the commands did show up the according printer device.

In comparison okular works like expected.

@matu3ba
Copy link
Contributor Author

matu3ba commented Aug 30, 2018

Do the following messages help? They occur in each of the commands [and # nodbus is used], so dbus use should work.
GLib-GIO-CRITICAL **: 23:49:32.556: g_dbus_proxy_new_sync: assertion G_IS_DBUS_CONNECTION (connection)' failed
** (evince:161): WARNING **: Connection failed: No authorization
** (evince:161): WARNING **: Couldn't connect to D-Bus system bus, Connection failed: No authorization

@Vincent43
Copy link
Collaborator

Is evince confined by AppArmor? You may check with sudo aa-status.

@matu3ba
Copy link
Contributor Author

matu3ba commented Sep 1, 2018

sudo aa-status
apparmor module is loaded.
25 profiles are loaded.
23 profiles are in enforce mode.
/sbin/dhclient
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince-thumbnailer//sanitized_helper
/usr/bin/evince//sanitized_helper
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/lightdm/lightdm-guest-session
/usr/lib/lightdm/lightdm-guest-session//chromium
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/usr/sbin/tcpdump
libreoffice-senddoc
libreoffice-senddoc//sanitized_helper
libreoffice-soffice//gpg
libreoffice-xpdfimport
man_filter
man_groff
2 profiles are in complain mode.
libreoffice-oopslash
libreoffice-soffice
2 processes have profiles defined.
2 processes are in enforce mode.
/sbin/dhclient (962)
/usr/sbin/cupsd (2634)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
Yes, it is. How do I fix this? Is this not tested during call of firecfg ?

@Vincent43
Copy link
Collaborator

The only thing firecfg does is making symlink from evince to firejail. You have to decide if you prefer using AppAmor or firejail to sandbox evince and disable the other one.

@matu3ba
Copy link
Contributor Author

matu3ba commented Sep 1, 2018

@Vincent43 Thanks alot.
Curiously evince with printing also works with the option nodbus enabled (so dbus disabled).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants