evince-thunbnailer gets permission denied from apparmor (and hangs the system for long periods of time)

Sorry, not on maverick, but on natty and oneiric

Not experienced the hanging issue, but operation of evince-thumbnailer over the network is restricted as of 2.32.0-0ubuntu10 - see bug #720961. One of the knock-on effects of this is that thumbnails of PDF files, etc, no longer work on NFS shares. The fault reported here may be a regression issue arising from this change?

I'm also experiencing this problem - a temporarely solution disabling the evince profile with the command
apparmor_parser -R /etc/apparmor.d/usr.bin.evince
before using evince. Otherwise evince becomes useless. Does anyone know hos to fix this?

Yeah, it's a result of that change. If you re-include abstractions/nameservice for evince-thumbnailer, it works with files over nfs again. This is not unreasonable functionality, so a way should be found to allow previews for nfs files while restricting more general, undesirable, access.

Hi,
My workstation on Natty hang with the same messages.
Regards.

Have it, too: natty x64 box uses share from maverick x86

double-click a pdf in Nautilus on nfs-share file: hangs evince, Nautilus, and any Terminal trying to ls the nfs share

get-around is (as mentioned):
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.evince

Better work-around is, as metioned by Philip Langdale, editing the file
/etc/apparmor.d/usr.bin.evince
like this (insert the nameservice-line):

/usr/bin/evince-thumbnailer {
  #include <abstractions/evince>
  #include <abstractions/nameservice>
:

Also experiencing this. /home mounted from server by autofs 11.04 64 bit.

dr=192.168.1.24 lport=725 faddr=192.168.1.99 fport=2049 family="inet" sock_type="stream" protocol=6
[ 650.501418] nfs: RPC call returned error 13
[ 653.513082] type=1400 audit(1307380623.806:126): apparmor="DENIED" operation="sendmsg" parent=1 profile="/usr/bin/evince-thumbnailer" pid=2999 comm="evince-thumbnai" laddr=192.168.1.24 lport=725 faddr=192.168.1.99 fport=2049 family="inet" sock_type="stream" protocol=6
[ 653.513106] nfs: RPC call returned error 13
[ 656.521924] type=1400 audit(1307380626.816:127): apparmor="DENIED" operation="sendmsg" parent=1 profile="/usr/bin/evince-thumbnailer" pid=2999 comm="evince-thumbnai" laddr=192.168.1.24 lport=725 faddr=192.168.1.99 fport=2049 family="inet" sock_type="stream" protocol=6
[ 656.521939] nfs: RPC call returned error 13

Modifying /etc/apparmor.d/usr.bin.evince as mentioned by Philip Langdale and suggested by Arne Hanssen worked for me.
This is a seriuos problem for a network of Ubuntu 11.04 clients with NFS network access.

To re-enable network access, you can add the following to /etc/appamor.d/usr.bin.evince to the '/usr/bin/evince-thumbnailer' stanza:
  # TCP/UDP network access
  network inet stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,

Then do:
$ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.evince

It should be noted that the default install of Ubuntu uses 'Local Files Only' for thumbnailing via nautilus, and changes this preference back to the default should also workaround this issue.

This bug was fixed in the package evince - 3.0.2-0ubuntu3

---------------
evince (3.0.2-0ubuntu3) oneiric; urgency=low

  * debian/apparmor-profile: re-enable networking for the thumbnailer for
    people who have configured nautilus to preview remote files when using
    NFS. This reverts the fix for LP 720961.
    - LP: #778638
 -- Jamie Strandboge <email address hidden> Wed, 22 Jun 2011 13:35:48 -0500

Will there also be a fix for Natty?

Can we please get a backport for Natty?

Here is the debdiff for the package in natty.

Marc, thanks for your patch!

The patch looks good except that you included the fix for bug #807507 as part of the patch, but didn't include it in the changelog. Since it isn't clear what the intent is here, please either update the patch to remove this fix or update the changelog to include a description of this fix (and update bug #807507 according to https://wiki.ubuntu.com/StableReleaseUpdates).

Please mark the bug back to 'Confirmed' and resubscribe ubuntu-sponsors when the changes are complete. Thanks again.

updated patch, removing the patch from the other bug.

Looks good, uploaded.

Hello Andre, or anyone else affected,

Accepted evince into natty-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

works ok for me. When is the package in updates?

Thanks for testing! Should go into -updates in 3 days, when the 7 days regression test/reporting period is over.

Glad to find an answer for this thumbnailer issue. I've just tested the proposed packages and they also work for me.

It's worth mentioning that you need to install both evince and evince-common packages from proposed:

 aptitude install evince/natty-proposed evince-common/natty-proposed

This bug was fixed in the package evince - 2.32.0-0ubuntu12.3

---------------
evince (2.32.0-0ubuntu12.3) natty-proposed; urgency=low

  * debian/apparmor-profile: enable networking for the thumbnailer for
    people who have configured nautilus to preview remote files when using
    NFS. (LP: #778638)
 -- Marc Gariepy <email address hidden> Wed, 31 Aug 2011 11:42:48 -0400