[Bug 1127934] New: dvipdf fails in tumbleweed
http://bugzilla.opensuse.org/show_bug.cgi?id=1127934 Bug ID: 1127934 Summary: dvipdf fails in tumbleweed Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: bnc-team-screening@forge.provo.novell.com Reporter: vidar@hi.is QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- dvipdf bref_isl.dvi /usr/bin/dvipdf: line 36: /usr/bin/basename: Permission denied /usr/bin/dvipdf: line 46: /usr/bin/dvips: Permission denied /usr/bin/dvipdf: line 46: /usr/bin/dvips: Success /usr/bin/dvipdf: line 46: /usr/bin/gs: Permission denied dvips is OK, but ps2pdf fails in a similar manner. This might be a bug in another subsystem. -- Viðar Guðmundsson -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1127934
http://bugzilla.opensuse.org/show_bug.cgi?id=1127934#c3
--- Comment #3 from Vidar Gudmundsson
http://bugzilla.opensuse.org/show_bug.cgi?id=1127934
http://bugzilla.opensuse.org/show_bug.cgi?id=1127934#c6
Christian Boltz
Thank you very much. Yes, removing the file works after the machine is rebooted. It was not enough to stop and start apparmor with the systemd tools.
Right, you'll need to run aa-remove-unknown to unload the profile after deleting it. Note that this will also unload automatically generated profiles, for example from LXC. We had to intentionally break "systemctl stop apparmor" - see "systemctl cat apparmor.service" or the release notes for details. There's also aa-disable whichis a better way to disable a profile permanently (unless you re-enable it with aa-enforce) - but aa-complain is more useful, see below.
I am not in a hurry as I understand the issue and can avoid it.
If you want to help to improve the profile, please restore the AppArmor profile and then put it in complain/learning mode: aa-complain /etc/apparmor.d/usr.bin.gs In complain mode, everything will be allowed, but things that would be denied will be logged in /var/log/audit/audit.log. Please use dvipdf, and then attach your audit.log.
I appreciate the work on suspected security risk.
:-) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1127934
http://bugzilla.opensuse.org/show_bug.cgi?id=1127934#c7
--- Comment #7 from Vidar Gudmundsson
http://bugzilla.opensuse.org/show_bug.cgi?id=1127934
http://bugzilla.opensuse.org/show_bug.cgi?id=1127934#c8
--- Comment #8 from Vidar Gudmundsson
http://bugzilla.opensuse.org/show_bug.cgi?id=1127934
http://bugzilla.opensuse.org/show_bug.cgi?id=1127934#c9
--- Comment #9 from Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1127934
http://bugzilla.opensuse.org/show_bug.cgi?id=1127934#c10
--- Comment #10 from Vidar Gudmundsson
http://bugzilla.opensuse.org/show_bug.cgi?id=1127934
http://bugzilla.opensuse.org/show_bug.cgi?id=1127934#c11
--- Comment #11 from Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1127934
http://bugzilla.opensuse.org/show_bug.cgi?id=1127934#c12
--- Comment #12 from Vidar Gudmundsson
http://bugzilla.opensuse.org/show_bug.cgi?id=1127934
http://bugzilla.opensuse.org/show_bug.cgi?id=1127934#c18
--- Comment #18 from Christian Boltz
As usual I keep changed packages in the OBS Printing project for the default time without immediately forwarding changes to openSUSE_Factory --> openSUSE_Tumbleweed
Can you please make an exception in this case? Currently, several things in the Tumbleweed ghostscript package are broken because of the too restrictive AppArmor profile. The updated package fixes all this by adding permissions to the profile. I see no point in keeping the broken state in Tumbleweed for another week, especially when the fix is already available. BTW: I reviewed the updated package and the updated AppArmor profile, and can confirm that it fixes the issues that were reported. And I'm sure I know a bit ;-) more about AppArmor than you ;-) -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com