Results 1 to 6 of 6

Thread: Evince: "Failed to execute child process"

  1. #1
    Join Date
    Jun 2007
    Beans
    49

    Evince: "Failed to execute child process"

    I have a pdf file with an embedded hyperlink. If I click on the link in acroread, I am given a warning ("The document is trying to connect to ...") and am asked if I wish to proceed. If I click yes, firefox opens the link.

    If I click on the link in Evince, I get the message "Failed to execute child process "/opt/firefox/firefox" (Permission denied)" (I have beta 8 of firefox installed). Executables in the firefox directory are root:root 755.

    This appears in syslog:

    Dec 30 14:08:03 laptop kernel: [318713.881253] type=1503 audit(1293739683.737:37): operation="exec" pid=27480 parent=27479 profile="/usr/bin/evince" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/opt/firefox/firefox"
    Can someone help me understand why evince is failing to open the link? Thanks!

    Bob
    Last edited by rmcd; December 30th, 2010 at 09:24 PM. Reason: To correct "::x" being interepreted as a smiley!

  2. #2
    Join Date
    Dec 2007
    Location
    forests whenever possible
    Beans
    48
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Evince: "Failed to execute child process"

    This seems to be apparmor not allowing evince to open external documents as it can be a risky if one opens untrusted things..
    I think evince's profile could be changed so apparmor will allow opening these files.
    I do not (yet) know how to do this..

    ps: I am having the same problem with a text file which should be opened by gedit.

    cheers.

  3. #3
    Join Date
    Jun 2007
    Beans
    49

    Arrow Re: Evince: "Failed to execute child process"

    Apparmor, ah! Excellent! Thank you!

    A solution is:

    Code:
    sudo ln -s /etc/apparmor.d/usr.bin.evince /etc/apparmor.d/disable/usr.bin.evince
    sudo /etc/init.d/apparmor restart
    This totally disables apparmor protection for evince. Probably not ideal, but the documentation for apparmor is slow going and I can't see how to change the specific behavior for https links.

    Looking at apparmor docs, it seems that apparmor_parser will reload the (disabled) profile without restarting apparmor.

  4. #4
    Join Date
    Dec 2007
    Location
    forests whenever possible
    Beans
    48
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Evince: "Failed to execute child process"

    Quote Originally Posted by rmcd View Post
    Apparmor, ah! Excellent! Thank you!
    Welcome
    Quote Originally Posted by rmcd View Post
    A solution is:
    Code:
    sudo ln -s /etc/apparmor.d/usr.bin.evince /etc/apparmor.d/disable/usr.bin.evince
    sudo /etc/init.d/apparmor restart
    I dare say it's more a workaround than a solution..but as long as there is no alternative this is acceptable .

    cheers.

  5. #5
    Join Date
    Jul 2008
    Location
    Raleigh, NC
    Beans
    7
    Distro
    Ubuntu

    Re: Evince: "Failed to execute child process"

    Code:
    sudo ln -s /etc/apparmor.d/usr.bin.evince /etc/apparmor.d/disable/usr.bin.evince
    sudo /etc/init.d/apparmor restart
    This totally disables apparmor protection for evince.
    Note that acroread has *no* apparmor protections, so with the completely disabled solution for Evince, you're no worse off than you were with Adobe's product. However, if apparmor is a possibility, I still suggest "doing the right thing." Here's the syntax you need:

    Code:
    /usr/bin/firefox   Px,
    Put that on it's own line, somewhere within the /usr/bin/evince { ... } declaration in /etc/apparmor.d/usr.bin.evince. (I put it on the last line, just before the closing brace.)

    You can choose one of px, Px, ux, Ux, ix. If you just want something working, the above should work. It's the safest of the *x options. For more info, look to 'man apparmor.d'

    Probably not ideal, but the documentation for apparmor is slow going and I can't see how to change the specific behavior for https links.
    I don't immediately see a way to block http vs https. In fact, other than blocking all TCP connections but on port 443, there is no way, because one of the things that SSL provides is complete, end-to-end encryption. In other words, there's no way for apparmor to detect that an https connection is being made. All it would know is that it didn't understand the information it saw going out.

  6. #6
    Join Date
    Mar 2006
    Beans
    Hidden!

    Re: Evince: "Failed to execute child process"

    No, put that rule into /etc/apparmor.d/local/usr.bin.evince.

    Here the associated README:

    Code:
    # This directory is intended to contain profile additions and overrides for
    # inclusion by distributed profiles to aid in packaging AppArmor for
    # distributions.
    #
    # The shipped profiles in /etc/apparmor.d can still be modified by an
    # administrator and people should modify the shipped profile when making
    # large policy changes, rather than trying to make those adjustments here.
    #
    # For simple access additions or the occasional deny override, adjusting them
    # here can prevent the package manager of the distribution from interfering
    # with local modifications. As always, new policy should be reviewed to ensure
    # it is appropriate for your site.
    #
    # For example, if the shipped /etc/apparmor.d/usr.sbin.smbd profile has:
    #   #include <local/usr.sbin.smbd>
    #
    # then an administrator can adjust /etc/apparmor.d/local/usr.sbin.smbd to
    # contain any additional paths to be allowed, such as:
    #
    #   /var/exports/** lrwk,
    #
    # Keep in mind that 'deny' rules are evaluated after allow rules, so you won't
    # be able to allow access to files that are explicitly denied by the shipped
    # profile using this mechanism.
    /etc/apparmor.d/local/README (END)

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •