我用 APT 安装 wike。它不运行。当我从终端运行它时,出现以下错误。
$ wike
(process:11686): Gtk-WARNING **: 02:55:41.246: Unknown key gtk-modules in /home/archisman/.config/gtk-4.0/settings.ini
bwrap: setting up uid map: Permission denied
** (wike:11686): ERROR **: 02:55:41.837: Failed to fully launch dbus-proxy: Child process exited with code 1
Trace/breakpoint trap
如何修复它?
Balena Etcher 无法在 Ubuntu 24.04 中打开。如何运行它?
我想查看例如apparmor的限制dhclient
我试着跑
apparmor_parser -p /sys/kernel/security/apparmor/policy/profiles/usr.sbin.dhclient.6/raw_data
我有 :
AppArmor parser error for /sys/kernel/security/apparmor/policy/profiles/usr.sbin.dhclient.6/raw_data in profile /sys/kernel/security/apparmor/policy/profiles/usr.sbin.dhclient.6/raw_data at line 1: Lexer found unexpected character: '' (0x4) in state: INITIAL
如何查看 Apparmor 对某些进程的限制?通过查看/sys/kernel/security/apparmor/policy/profiles/目录
askubuntu.com,我需要一些帮助来调试我的 MySQL 设置!在过去的几年里,我一直在 Dropbox 上托管我的本地开发资源,它运行良好。上周,我决定清理我的计算机并这次使用 Ubuntu 而不是 Linux Mint(无关紧要,但是耶!)。所以,关于重要的细节:
中的 datadir 条目/etc/mysql/mysql.conf.d/mysqld.cnf定义为datadir = "/home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql".
/home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases 777的权限(悲伤的脸,但我现在试图消除可能性)和所有者用户/组是mysql:mysql,递归。
我在/etc/apparmor.d/tunables/aliasas中定义了一个 Apparmor 别名alias /var/lib/mysql/ -> "/home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql/",。我还添加了条目/etc/apparmor.d/usr.sbin.mysqld作为
# Allow data dir access
/var/lib/mysql/ r,
"/home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql/" r,
/var/lib/mysql/** rwk,
"/home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql/**" rwk,
此外,在我的测试期间,我使用(如何禁用 AppArmor for MySQL)中的说明从强制执行列表中删除了 MySQL,因此 Apparmor 根本不应该影响进程。我的输出sudo aa-status是
apparmor module is loaded.
39 profiles are loaded.
39 profiles are in enforce mode.
/snap/core/9289/usr/lib/snapd/snap-confine
/snap/core/9289/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/snap/snapd/7777/usr/lib/snapd/snap-confine
/snap/snapd/7777/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince//sanitized_helper
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/usr/sbin/tcpdump
/{,usr/}sbin/dhclient
ippusbxd
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
snap-update-ns.core
snap-update-ns.gimp
snap-update-ns.snap-store
snap-update-ns.spotify
snap.core.hook.configure
snap.gimp.gimp
snap.gimp.hook.install
snap.gimp.hook.post-refresh
snap.snap-store.snap-store
snap.snap-store.ubuntu-software
snap.snap-store.ubuntu-software-local-file
snap.spotify.spotify
0 profiles are in complain mode.
3 processes have profiles defined.
3 processes are in enforce mode.
/usr/sbin/cups-browsed (1066)
/usr/sbin/cupsd (980)
/snap/snap-store/454/usr/bin/snap-store (2422) snap.snap-store.ubuntu-software
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
该命令sudo service mysql start产生输出
Job for mysql.service failed because the control process exited with error code.
See "systemctl status mysql.service" and "journalctl -xe" for details.
该命令的 mysqld 输出journalctrl -xe为
Jun 12 19:28:26 tehccount mysqld[6655]: 2020-06-12T23:28:26.016428Z 0 [Warning] [MY-010091] [Server] Can't create test file /home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql/mysqld_tmp_file_case_insensitive_test.lower-test
Jun 12 19:28:26 tehccount mysqld[6655]: 2020-06-12T23:28:26.016478Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.20-0ubuntu0.20.04.1) starting as process 6655
Jun 12 19:28:26 tehccount mysqld[6655]: 2020-06-12T23:28:26.018301Z 0 [Warning] [MY-010091] [Server] Can't create test file /home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql/mysqld_tmp_file_case_insensitive_test.lower-test
Jun 12 19:28:26 tehccount mysqld[6655]: 2020-06-12T23:28:26.018309Z 0 [Warning] [MY-010159] [Server] Setting lower_case_table_names=2 because file system for /home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql/ is case insensitive
Jun 12 19:28:26 tehccount mysqld[6655]: 2020-06-12T23:28:26.018491Z 0 [ERROR] [MY-013276] [Server] Failed to set datadir to '/home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql/' (OS errno: 13 - Permission denied)
Jun 12 19:28:26 tehccount mysqld[6655]: 2020-06-12T23:28:26.018547Z 0 [ERROR] [MY-010119] [Server] Aborting
Jun 12 19:28:26 tehccount mysqld[6655]: 2020-06-12T23:28:26.018619Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.20-0ubuntu0.20.04.1) (Ubuntu).
Jun 12 19:28:26 tehccount systemd[1]: mysql.service: Main process exited, code=exited, status=1/FAILURE
该命令的输出sudo systemctl status mysql.service是
mysql.service - MySQL Community Server
Loaded: loaded (/lib/systemd/system/mysql.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2020-06-12 19:28:27 EDT; 5min ago
Process: 6671 ExecStartPre=/usr/share/mysql/mysql-systemd-start pre (code=exited, status=0/SUCCESS)
Process: 6679 ExecStart=/usr/sbin/mysqld (code=exited, status=1/FAILURE)
Main PID: 6679 (code=exited, status=1/FAILURE)
Status: "Server startup in progress"
Error: 13 (Permission denied)
Jun 12 19:28:27 tehccount systemd[1]: mysql.service: Scheduled restart job, restart counter is at 5.
Jun 12 19:28:27 tehccount systemd[1]: Stopped MySQL Community Server.
Jun 12 19:28:27 tehccount systemd[1]: mysql.service: Start request repeated too quickly.
Jun 12 19:28:27 tehccount systemd[1]: mysql.service: Failed with result 'exit-code'.
Jun 12 19:28:27 tehccount systemd[1]: Failed to start MySQL Community Server.
该命令的输出sudo -u mysql /usr/sbin/mysqld是
2020-06-12T23:36:08.460482Z 0 [Warning] [MY-010091] [Server] Can't create test file /home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql/mysqld_tmp_file_case_insensitive_test.lower-test
2020-06-12T23:36:08.460535Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.20-0ubuntu0.20.04.1) starting as process 6866
2020-06-12T23:36:08.462316Z 0 [Warning] [MY-010091] [Server] Can't create test file /home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql/mysqld_tmp_file_case_insensitive_test.lower-test
2020-06-12T23:36:08.462334Z 0 [Warning] [MY-010159] [Server] Setting lower_case_table_names=2 because file system for /home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql/ is case insensitive
2020-06-12T23:36:08.462514Z 0 [ERROR] [MY-013276] [Server] Failed to set datadir to '/home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql/' (OS errno: 13 - Permission denied)
2020-06-12T23:36:08.462555Z 0 [ERROR] [MY-010119] [Server] Aborting
2020-06-12T23:36:08.462622Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.20-0ubuntu0.20.04.1) (Ubuntu).
使用 导航到预期的 mysql 数据目录cd /home/tehccount/Dropbox/DesignInk\ Digital/Kyle/Development\ Databases/mysql/,然后使用命令sudo -u mysql touch testfile.txt成功创建文件/home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql/testfile.txt
尽管我尽了最大的努力并每天工作 8 小时,但我一直无法弄清楚为什么这个过程/usr/sbin/mysqld无法开始。MySQL 应该从 Apparmor 中删除,并且 datadir 的权限设置为神奇的自由777权限。在使用具有 Apparmor 和适当权限的 Linux Mint 之前,我已成功完成此操作。欢迎任何建议,谢谢。
我试图逃跑docker-compose up,/data/myproject但失败了:
/data/myproject# docker-compose up
ERROR:
Can't find a suitable configuration file in this directory or any
parent. Are you in the right directory?
Supported filenames: docker-compose.yml, docker-compose.yaml
显然这是由于 AppArmor 阻止了该访问,因为docker-compose.yml目录中肯定存在,并且docker-compose.yml我的$HOME. 只有当我将它移到它时才/data不会。
/data/myproject# dmesg | tail
...
[62950.885492] audit: type=1400 audit(1591658453.915:144): apparmor="DENIED" operation="open" profile="snap.docker.compose" name="/proc/7429/mounts" pid=7429 comm="python3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[63016.064496] audit: type=1400 audit(1591658519.090:145): apparmor="DENIED" operation="open" profile="snap.docker.compose" name="/proc/7476/mounts" pid=7476 comm="python3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[63043.767933] audit: type=1400 audit(1591658546.793:146): apparmor="DENIED" operation="open" profile="snap.docker.compose" name="/proc/7505/mounts" pid=7505 comm="python3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
我的问题:如何添加到//data的允许目录?dockerdocker-compose
Pulseaudio 在守护程序模式下运行,我可以通过 aplay、vlc 等播放声音,所以我知道声音正在工作。
chrome 运行时 dmesg 的输出表明 apparmor 正在阻止对声音设备的访问:
[Mon Feb 24 16:54:34 2020] audit: type=1400 audit(1582581275.262:2277): apparmor="DENIED" operation="mkdir" profile="snap.chromium.chromium" name="/run/user/1000/" pid=16304 comm="mkdir" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[Mon Feb 24 16:54:42 2020] audit: type=1400 audit(1582581283.250:2278): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/dev/snd/controlC0" pid=16275 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[Mon Feb 24 16:54:42 2020] audit: type=1400 audit(1582581283.618:2279): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/dev/snd/controlC0" pid=16275 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[Mon Feb 24 16:54:42 2020] audit: type=1400 audit(1582581283.618:2280): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/dev/snd/controlC0" pid=16275 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[Mon Feb 24 16:54:42 2020] audit: type=1400 audit(1582581283.750:2281): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/dev/snd/controlC0" pid=16275 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[Mon Feb 24 16:54:42 2020] audit: type=1400 audit(1582581283.750:2282): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/dev/snd/controlC0" pid=16275 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[Mon Feb 24 16:58:48 2020] audit: type=1400 audit(1582581529.770:2284): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/dev/snd/controlC0" pid=16275 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
我已经通过 systemctl stop apparmor 停止了 apparmor。
编辑:#1:
19 processes are in enforce mode.
/snap/chromium/1036/usr/lib/chromium-browser/chrome (1227) snap.chromium.chromium
/snap/chromium/1036/usr/lib/chromium-browser/chrome (1622) snap.chromium.chromium
/snap/chromium/1036/usr/lib/chromium-browser/chrome (1633) snap.chromium.chromium
/snap/chromium/1036/usr/lib/chromium-browser/chrome (1686) snap.chromium.chromium
/snap/chromium/1036/usr/lib/chromium-browser/chrome (1690) snap.chromium.chromium
/snap/chromium/1036/usr/lib/chromium-browser/chrome (3354) snap.chromium.chromium
/snap/chromium/1036/usr/lib/chromium-browser/chrome (12295) snap.chromium.chromium
/snap/chromium/1036/usr/lib/chromium-browser/chrome (12414) snap.chromium.chromium
/snap/chromium/1036/usr/lib/chromium-browser/chrome (16471) snap.chromium.chromium
/snap/chromium/1036/usr/lib/chromium-browser/chrome (17290) snap.chromium.chromium
/snap/chromium/1036/usr/lib/chromium-browser/chrome (20617) snap.chromium.chromium
/snap/chromium/1036/usr/lib/chromium-browser/chrome (22088) snap.chromium.chromium
/snap/chromium/1036/usr/lib/chromium-browser/chrome (23416) snap.chromium.chromium
我省略了不相关的过程。铬快照处于强制模式。
我不认为问题出在pulseaudio,而是与铬快照的配置有关。如上面的日志所示,它显然阻止了对声音设备的访问。
启动 evince 时,出现此错误:
EvinceDocument-WARNING **: 10:14:16.337: Error opening directory “/usr/lib/x86_64-linux-gnu/evince/4/backends”: Permission denied
我已经将 evince 置于抱怨模式,所以我认为:
aa-complain /usr/bin/evince
systemctl restart apparmor
状态显示 evince 处于投诉模式:
apparmor_status
22 profiles are in complain mode.
/usr/bin/evince
我正在使用 overlayfs root 运行 Ubuntu。我也尝试过完全停止 apparmor。
我可以执行 ls -al /usr/lib/x86_64-linux-gnu/evince/4/backends 并查看文件就好了。如果我运行 strace evince,我会看到完全相同的输出,即无法打开该目录。
编辑:#1
1. Ubuntu 19.10 Server as a base (not as a install, nor a debootstrap, but close to a debootstrap)
2. xorg + i3 tiling wm installed
3. no virtualization
4. most other applications work as expected
我在 Ubuntu 19.10、Libreoffice 6.3.4 和 OpenJDK 14 上,无法启动 libreoffice:
自由办公室:
Fatal exception: Signal 11
Stack:
/usr/lib/libreoffice/program/libuno_sal.so.3(+0x3d263)[0x7f12ac0fb263]
/usr/lib/libreoffice/program/libuno_sal.so.3(+0x3d3da)[0x7f12ac0fb3da]
/lib/x86_64-linux-gnu/libc.so.6(+0x46470)[0x7f12abefa470]
/usr/lib/libreoffice/program/libuno_cppu.so.3(+0x17197)[0x7f12a9e13197]
/usr/lib/libreoffice/program/libuno_cppu.so.3(uno_type_any_assign+0x93)[0x7f12a9e125c3]
/usr/lib/libreoffice/program/libmergedlo.so(+0x28d787d)[0x7f12ae9f487d]
/usr/lib/libreoffice/program/libmergedlo.so(+0x28d7dca)[0x7f12ae9f4dca]
/usr/lib/libreoffice/program/libmergedlo.so(_ZN3utl10ConfigItemC2ERKN3rtl8OUStringE14ConfigItemMode+0x80)[0x7f12ae9eebc0]
/usr/lib/libreoffice/program/libmergedlo.so(+0x2912bf6)[0x7f12aea2fbf6]
/usr/lib/libreoffice/program/libmergedlo.so(_ZN19SvtSysLocaleOptionsC1Ev+0x129)[0x7f12aea31099]
/usr/lib/libreoffice/program/libmergedlo.so(_Z7InitVCLv+0x1b0)[0x7f12aedef2c0]
/usr/lib/libreoffice/program/libmergedlo.so(_Z10ImplSVMainv+0x115)[0x7f12aedf08b5]
/usr/lib/libreoffice/program/libmergedlo.so(soffice_main+0x97)[0x7f12adf1e907]
/usr/lib/libreoffice/program/soffice.bin(+0x10b0)[0x5649106b80b0]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0x7f12abedb1e3]
/usr/lib/libreoffice/program/soffice.bin(+0x10ee)[0x5649106b80ee]
我看到 apparmor 正在执行,我在 dmesg 输出中收到这些警告:
[Mon Feb 24 10:10:10 2020] kauditd_printk_skb: 4 callbacks suppressed
[Mon Feb 24 10:10:10 2020] audit: type=1400 audit(1582557010.883:1138): apparmor="ALLOWED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="libreoffice-soffice" name="usr/share/drirc.d" pid=17701 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[Mon Feb 24 10:10:10 2020] audit: type=1400 audit(1582557010.883:1139): apparmor="ALLOWED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="libreoffice-soffice" name="usr/share/drirc.d" pid=17701 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[Mon Feb 24 10:10:10 2020] audit: type=1400 audit(1582557010.883:1140): apparmor="ALLOWED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="libreoffice-soffice" name="usr/share/drirc.d" pid=17701 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[Mon Feb 24 10:10:10 2020] audit: type=1400 audit(1582557010.883:1141): apparmor="ALLOWED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="libreoffice-soffice" name="usr/share/drirc.d" pid=17701 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[Mon Feb 24 10:10:10 2020] audit: type=1400 audit(1582557010.887:1142): apparmor="ALLOWED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="libreoffice-soffice" name="usr/share/drirc.d" pid=17701 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[Mon Feb 24 10:10:10 2020] audit: type=1400 audit(1582557010.899:1143): apparmor="ALLOWED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="libreoffice-soffice" name="usr/lib/libreoffice/program/services" pid=17693 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[Mon Feb 24 10:10:10 2020] audit: type=1400 audit(1582557010.899:1144): apparmor="ALLOWED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="libreoffice-soffice" name="overlay/home/user/.config/libreoffice/4/user/SafeMode" pid=17693 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
我试图停止 apparmor (systemctl stop apparmor),但我仍然收到这些警告消息,并且 libreoffice 无法启动。
我正在使用 overlayfs root 运行 Ubuntu。
Journalctl 显示 Discord snap 包 / apparmor 将许多消息打印到 systemd 日志。有没有办法解决这个问题?这个问题似乎已经发生了一段时间。我在 19.04 和 19.10 看到过。
消息非常频繁。我的机器启动了不到一个小时,我看到很多消息:
$ journalctl -b | grep discord | wc -l
20235
示例错误消息:
audit[4597]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=4597 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
这是来自另一台机器的错误消息。尽管绝大多数消息都与 ptrace 相关(见上文),但有些消息看起来像这样(pid=6711 是 ssh-agent)。
audit[7358]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/proc/6711/cmdline" pid=7358 comm="Discord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0