Re: Getting point-and-click working

[David Wright]

On Sat 09 Feb 2019 at 19:03:02 (+0000), David Sumbler wrote:

> I tried all the suggestions on the page suggested.  Nothing helped
> except for completely disabling AppArmor for Evince.  The links then
> work as intended!
> 
> But it would be preferable, probably, not to do that, so I removed the
> disabling link and tried again with the AppArmor files modified as you
> suggested.  I rebooted and, sad to say, the old problem occurs.
> 
> However, in case you or anyone else can make a further suggestion on
> how to get things working even with AppArmor doing its thing, here are
> the lines that appear in my /var/log/syslog file when I open a Lilypond
> PDF file in Evince, and then click on a link.
> 
> Upon opening the file, I get (in a single line):
> 
> Feb  9 18:11:21 vesta kernel: [  975.529752] audit: type=1400
> audit(1549735881.448:47): apparmor="DENIED"
> operation="open" profile="/usr/bin/evince"
> name="/home/david/.local/share/applications/mimeapps.list" pid=3241
> comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
> 
> When I click on a link in the displayed file, I get:
> 
> Feb  9 18:11:38 vesta kernel: [  992.243804] audit: type=1400 
> audit(1549735898.161:48): apparmor="DENIED" 
> operation="exec" profile="/usr/bin/evince" 
> name="/usr/local/bin/lilypond-wrapper.guile" pid=3261 
> comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> 
> Although all of the other 71 files in ~/.local/share/applications/ have
> me as owner and group, the file mimeapps.list has owner and group set
> to root.  I looked at my partner's computer, which is running Ubuntu
> 16.04, and there the corresponding file has owner and group set to the
> user, rather than root.  (Presumably this is some change made in
> Ubuntu, since I don't think I can have done anything to change it.)

Is it possible you accidentally ran the command
xdg-mime default lilypond-invoke-editor.desktop x-scheme-handler/textedit
with sudo? There's no way root should be owning any files in /home.

> So I tried changing the ownership of that file on my computer, and sure
> enough, I no longer see an error in the log file when evince is
> started.  But when I click on a link in the Lilypond file I still get:
> 
> Feb  9 18:34:45 vesta kernel: [  200.968460] audit: type=1400
> audit(1549737285.711:45): apparmor="DENIED" 
> operation="exec" profile="/usr/bin/evince"
> name="/usr/local/bin/lilypond-wrapper.guile" pid=2507 
> comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> 
> Clearly I can't sensibly change the ownership of
> /usr/local/bin/lilypond-wrapper.guile, and presumably this is the sort
> of thing AppArmor is supposed to sort out.  I did, however, try adding
> a line specifically for this file in
> /etc/apparmor.d/local/usr.bin.evince, but it hasn't helped.

I too use Debian and, although there are apparmor files dotted around,
it doesn't use them here. However, I get the impression that the
apparmor files are loaded into the kernel, rather than being used
in situ. So I wonder whether, *whenever* you make changes to any of
these files, you have to reparse them with apparmor_parser. Did
you do that? (I don't know if they're loaded at boot time.)

> Meanwhile, I shall go back to disabling AppArmor for Evince, even
> though it is probably slightly less than ideal.

BTW I think there are a few small wrinkles in the documentation:

If you write a file called lilypond-invoke-editor.desktop in a local
directory such as /tmp, then you need to run
xdg-desktop-menu install /tmp/lilypond-invoke-editor.desktop
and not
xdg-desktop-menu install ./lilypond-invoke-editor.desktop

If you run evince but not Gnome, then gnome-open may not be present,
but it may be worth trying xdg-open.

I assume (but cannot test) that the lines:

# For Textedit links
/usr/local/bin/lilypond-invoke-editor Cx -> sanitized_helper,

should be adjusted according to where lilypond was installed.
(In your case, you happen to have matched its assumption.)

Cheers,
David.