[Solved] Okular Undefined Mimetypes (was: Denied access to /home/user/)

Qubes-Whonix-12
Followed steps from AppArmor to set kernelopts for Whonix Templates and existing AppVMs.
Installed AppArmor Profiles from Whonix Testers Repository. Reboot all VMs.
In existing AppVMs, okular & gwenview behave as expected: access (rw) is granted to /home/user/ and /home/user/Downloads. access (r) is denied to /home/user/somethingelse.
Created new AppVMs based on existing Templates. kernelopts are inherited. env var $HOME=/home/user. Running okular generates many DENIED operations (not present on Existing AppVMs):

Apr 15 22:23:20 host kernel: [   17.718374] audit: type=1400 audit(1460759000.626:17): apparmor="DENIED" operation="exec" profile="/usr/bin/okular" name="/bin/dash" pid=2044 comm="okular" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Apr 15 22:23:20 host kernel: [   17.779099] audit: type=1400 audit(1460759000.686:18): apparmor="DENIED" operation="exec" profile="/usr/bin/okular" name="/bin/dash" pid=2048 comm="kdeinit4" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Apr 15 22:23:20 host kernel: [   17.825963] audit: type=1400 audit(1460759000.732:19): apparmor="DENIED" operation="open" profile="/usr/bin/okular" name="/usr/share/kde-power-savings-disable-in-vms/share/config/kdedrc" pid=2050 comm="kded4" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 15 22:23:20 host kernel: [   17.826143] audit: type=1400 audit(1460759000.733:20): apparmor="DENIED" operation="open" profile="/usr/bin/okular" name="/usr/share/kde-lowfat/share/config/kdedrc" pid=2050 comm="kded4" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 15 22:23:20 host kernel: [   17.973326] audit: type=1400 audit(1460759000.880:21): apparmor="DENIED" operation="open" profile="/usr/bin/okular" name="/usr/share/kde-power-savings-disable-in-vms/share/config/kdedrc" pid=2051 comm="kded4" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 15 22:23:20 host kernel: [   17.973367] audit: type=1400 audit(1460759000.880:22): apparmor="DENIED" operation="open" profile="/usr/bin/okular" name="/usr/share/kde-lowfat/share/config/kdedrc" pid=2051 comm="kded4" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 15 22:23:20 host kernel: [   18.040736] audit: type=1400 audit(1460759000.947:23): apparmor="DENIED" operation="open" profile="/usr/bin/okular" name="/usr/share/mime/" pid=2052 comm="kbuildsycoca4" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 15 22:23:20 host kernel: [   18.040758] audit: type=1400 audit(1460759000.947:24): apparmor="DENIED" operation="open" profile="/usr/bin/okular" name="/home/user/.kde/share/kde4/services/" pid=2052 comm="kbuildsycoca4" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Apr 15 22:23:20 host kernel: [   18.040775] audit: type=1400 audit(1460759000.947:25): apparmor="DENIED" operation="open" profile="/usr/bin/okular" name="/usr/share/kde-power-savings-disable-in-vms/share/kde4/services/" pid=2052 comm="kbuildsycoca4" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 15 22:23:20 host kernel: [   18.088457] audit: type=1400 audit(1460759000.995:26): apparmor="DENIED" operation="open" profile="/usr/bin/okular" name="/usr/share/kde-power-savings-disable-in-vms/share/kde4/services/plasma-applet-batterymonitor.desktop" pid=2052 comm="kbuildsycoca4" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Also, DENIED access to /home/user:

Apr 15 23:43:29 host kernel: [ 4827.022576] audit: type=1400 audit(1460763809.929:108): apparmor="DENIED" operation="open" profile="/usr/bin/okular" name="/home/user/" pid=3910 comm="kio_file" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000`

Tried aa-complain, followed by aa-logprof. No changes proposed.
Tried aa-disable /etc/apparmor.d/usr.bin.okular. Still no access to /home/user.
Maybe not apparmor related?
Feels like I need to initialize something without apparmor present?

Changed new AppVM kernelopts to “nopat”.
Launched okular & gwenview, navigated to /home/user/, viewed .jpg without any issues.
Changed new AppVM kernelopts back to “noapt apparmor=1 security=apparmor”
All DENIED messages still present. :frowning:
Not sure what is different about this new AppVM vs my existing AppVMs… (All based on original, non-upgraded Whonix-12 templates)

Qubes Whonix 12

New AppVM based on Whonix-Workstation-12 template with apparmor kernelopts and apparmor-profiles from Whonix Testers Repository. (following AppArmor)

Okular with default profile enabled can not open a jpeg file.

Error message:

okular(2046)/kdecore (trader) mimeTypeSycocaServiceOffers: KMimeTypeTrader: mimeType "image/jpeg" not found 
okular(2046)/okular (app) Okular::Document::openDocument: No plugin for mimetype '"image/jpeg"'.

In addition, first run per boot produces numerous kbuildsycoca4 messages.

Some samples:

kbuildsycoca4(2055) KBuildSycoca::checkTimestamps: checking file timestamps
kbuildsycoca4(2055) KBuildSycoca::checkDirTimestamps: timestamp changed: "/usr/share/kde4/servicetypes/"
kbuildsycoca4(2055) kdemain: Reusing existing ksycoca
kbuildsycoca4(2055) KBuildSycoca::recreate: Recreating ksycoca file ("/var/tmp/kdecache-user/ksycoca4", version 241)
kbuildsycoca4(2055) KBuildSycoca::createEntry: new: "kateplugin.desktop" in servicetypes
kbuildsycoca4(2055) KBuildSycoca::createEntry: modified: "qvm-dvm.desktop" in services
kbuildsycoca4(2055) KBuildSycoca::createEntry: new: "katetabifyplugin.desktop" in services
kbuildsycoca4(2055) KBuildSycoca::createEntry: new: "katemailfilesplugin.desktop" in services
...
kbuildsycoca4(2055) KBuildSycoca::build: Still in the time dict (i.e. deleted files) ("apps", "xdgdata-mime")
kbuildsycoca4(2055) VFolderMenu::pushDocInfo: Menu "debian-menu.menu" not found.
kbuildsycoca4(2055) VFolderMenu::pushDocInfo: Menu "applications-kmenuedit.menu" not found.
kbuildsycoca4(2055) VFolderMenu::processMenu: Processing KDE Legacy dirs for <KDE>
kbuildsycoca4(2055) VFolderMenu::processKDELegacyDirs:
kbuildsycoca4(2055) VFolderMenu::loadApplications: Looking up applications under "/usr/share/applications/"
kbuildsycoca4(2055) KBuildSycoca::createEntry: modified: "/usr/share/applications/display-im6.q16.desktop" in apps
kbuildsycoca4(2055) KBuildSycoca::createEntry: modified: "/usr/share/applications/display-im6.desktop" in apps
kbuildsycoca4(2055) KBuildSycoca::createEntry: modified: "/usr/share/applications/iceweasel.desktop" in apps
...
kbuildsycoca4(2055) KBuildServiceFactory::populateServiceTypes: "/usr/share/applications/display-im6.q16.desktop" specifies undefined mimetype/servicetype "image/avs"
kbuildsycoca4(2055) KBuildServiceFactory::populateServiceTypes: "/usr/share/applications/display-im6.q16.desktop" specifies undefined mimetype/servicetype "image/bie"
kbuildsycoca4(2055) KBuildServiceFactory::populateServiceTypes: "/usr/share/applications/display-im6.q16.desktop" specifies undefined mimetype/servicetype "image/x-ms-bmp"
kbuildsycoca4(2055) KBuildServiceFactory::populateServiceTypes: "/usr/share/applications/display-im6.q16.desktop" specifies undefined mimetype/servicetype "image/cmyk"
kbuildsycoca4(2055) KBuildServiceFactory::populateServiceTypes: "/usr/share/applications/display-im6.q16.desktop" specifies undefined mimetype/servicetype "image/dcx"
...
kbuildsycoca4(2055) KBuildServiceFactory::populateServiceTypes: "phononbackends/vlc.desktop" specifies undefined mimetype/servicetype "audio/mpeg3"
kbuildsycoca4(2055) KBuildServiceFactory::populateServiceTypes: "phononbackends/vlc.desktop" specifies undefined mimetype/servicetype "audio/vnd.rn-realmedia"
kbuildsycoca4(2055) KBuildServiceFactory::populateServiceTypes: "phononbackends/vlc.desktop" specifies undefined mimetype/servicetype "audio/x-16sv"
kbuildsycoca4(2055) KBuildServiceFactory::populateServiceTypes: "phononbackends/vlc.desktop" specifies undefined mimetype/servicetype "audio/x-8svx"
kbuildsycoca4(2055) KBuildServiceFactory::populateServiceTypes: "phononbackends/vlc.desktop" specifies undefined mimetype/servicetype "audio/x-basic"
kbuildsycoca4(2055) KBuildServiceFactory::populateServiceTypes: "phononbackends/vlc.desktop" specifies undefined mimetype/servicetype "audio/x-mpeg2"
...
kbuildsycoca4(2055) KBuildServiceFactory::populateServiceTypes: "/usr/share/applications/vlc.desktop" specifies undefined mimetype/servicetype "audio/x-pn-aiff"
kbuildsycoca4(2055) KBuildServiceFactory::populateServiceTypes: "/usr/share/applications/vlc.desktop" specifies undefined mimetype/servicetype "audio/x-pn-au"
kbuildsycoca4(2055) KBuildServiceFactory::populateServiceTypes: "/usr/share/applications/vlc.desktop" specifies undefined mimetype/servicetype "audio/x-pn-wav"
kbuildsycoca4(2055) KBuildServiceFactory::populateServiceTypes: "/usr/share/applications/vlc.desktop" specifies undefined mimetype/servicetype "audio/x-pn-windows-acm"
kbuildsycoca4(2055) KBuildServiceFactory::populateServiceTypes: "/usr/share/applications/vlc.desktop" specifies undefined mimetype/servicetype "application/x-extension-mp4"

Solution (or something)
Before first Okular run,
sudo aa-complain /usr/bin/okular
Launch Okular, navigate file open dialog, open jpeg file, quit.
sudo aa-logprof
says profiles updated in /etc/apparmor.d though no interactions are presented to user. Checked usr.bin.okular and no changes made. Not sure if aa-logprof can change other profiles.
sudo aa-enforce /usr/bin/okular
Run Okular and now able to open jpeg files…
This was performed in AppVM and does not persist across reboots. Must be performed in TemplateVM which is bad because we do not want to run executables in our template. Real solution is to find out cause of error in profile. Help please!


Here are the ALLOWED operations from /var/log/kern.log while in complain mode:

Apr 20 20:26:26 host kernel: [   81.512181] audit: type=1400 audit(1461183986.583:18): apparmor="ALLOWED" operation="exec" profile="/usr/bin/okular" name="/bin/dash" pid=1920 comm="okular" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/usr/bin/okular//null-1"
Apr 20 20:26:26 host kernel: [   81.513188] audit: type=1400 audit(1461183986.584:19): apparmor="ALLOWED" operation="open" profile="/usr/bin/okular//null-1" name="/etc/ld.so.cache" pid=1920 comm="sh" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 20 20:26:26 host kernel: [   81.513200] audit: type=1400 audit(1461183986.584:20): apparmor="ALLOWED" operation="getattr" profile="/usr/bin/okular//null-1" name="/etc/ld.so.cache" pid=1920 comm="sh" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 20 20:26:26 host kernel: [   81.513226] audit: type=1400 audit(1461183986.584:21): apparmor="ALLOWED" operation="open" profile="/usr/bin/okular//null-1" name="/lib/x86_64-linux-gnu/libc-2.19.so" pid=1920 comm="sh" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 20 20:26:26 host kernel: [   81.513242] audit: type=1400 audit(1461183986.584:22): apparmor="ALLOWED" operation="getattr" profile="/usr/bin/okular//null-1" name="/lib/x86_64-linux-gnu/libc-2.19.so" pid=1920 comm="sh" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 20 20:26:26 host kernel: [   81.513252] audit: type=1400 audit(1461183986.584:23): apparmor="ALLOWED" operation="file_mmap" profile="/usr/bin/okular//null-1" name="/lib/x86_64-linux-gnu/libc-2.19.so" pid=1920 comm="sh" requested_mask="mr" denied_mask="mr" fsuid=1000 ouid=0
Apr 20 20:26:26 host kernel: [   81.513422] audit: type=1400 audit(1461183986.584:24): apparmor="ALLOWED" operation="file_mprotect" profile="/usr/bin/okular//null-1" name="/bin/dash" pid=1920 comm="sh" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 20 20:26:26 host kernel: [   81.513439] audit: type=1400 audit(1461183986.584:25): apparmor="ALLOWED" operation="file_mprotect" profile="/usr/bin/okular//null-1" name="/lib/x86_64-linux-gnu/ld-2.19.so" pid=1920 comm="sh" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 20 20:26:26 host kernel: [   81.513588] audit: type=1400 audit(1461183986.584:26): apparmor="ALLOWED" operation="getattr" profile="/usr/bin/okular//null-1" name="/home/user/" pid=1920 comm="sh" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Apr 20 20:26:34 host kernel: [   89.113878] audit_printk_skb: 288 callbacks suppressed
Apr 20 20:26:34 host kernel: [   89.113896] audit: type=1400 audit(1461183994.184:123): apparmor="ALLOWED" operation="open" profile="/usr/bin/okular" name="/home/user/" pid=1919 comm="okular" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Apr 20 20:26:34 host kernel: [   89.114753] audit: type=1400 audit(1461183994.185:124): apparmor="ALLOWED" operation="open" profile="/usr/bin/okular" name="/home/user/" pid=1919 comm="okular" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Apr 20 20:26:34 host kernel: [   89.124746] audit: type=1400 audit(1461183994.195:125): apparmor="ALLOWED" operation="open" profile="/usr/bin/okular" name="/home/user/" pid=1949 comm="kio_file" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000


abstractions/base has a line:
/lib/@{multiarch}/** r, and
/lib/@{multiarch}/lib*.so* mr,
which should cover the libc permissions?

what a mess… disregard all of the above…

In a nutshell:

  1. enabled apparmor in template vm, installed apparmor-profiles-whonix
  2. any appVM based on that template (even with apparmor disabled in kernelopts) can not open jpg files in okular

Before changes to template vm, this issue was not present.

Solution: run kbuildsycoca4. No idea why. Something related to apparmor install modified /var/tmp/kdecache-user/ksycoca4.

Okular apparmor profile is fine.

While troubleshooting, discovered that aa-logprof wasn’t doing anything at all… AppArmor and Whonix - #4 by entr0py

1 Like