Re: Debian 11: evince and apparmor flood kernel log

[Roger Price <debian@rogerprice.org>]

On Sat, 18 Sep 2021, Klaus Singvogel wrote:

> Roger Price wrote:
> > In Debian 11, evince has an appamor profile which floods the kernel log with
> > hundreds of messages of the style:
>
> Not only at Debian 11, even Debian 10 has it.
>
> [...]
> >  (evince:2869): GVFS-WARNING **: 22:18:18.510: can't init metadata tree /mnt/home/rprice/.local/share/gvfs-metadata/home: open: Permission denied
> [...]
> > Is there some way of calming evince+appamor?
>
> The location of your home is uncommon (as on my side).
>
> Fix: edit /etc/apparmor.d/tunables/home.d/site.local

In site.local I found

 # The following is a space-separated list of where additional user home
 # directories are stored, each must have a trailing '/'. Directories added
 # here are appended to @{HOMEDIRS}.  See tunables/home for details. Eg:
 #@{HOMEDIRS}+=/srv/nfs/home/ /mnt/home/

where curiously, the apparmor installation seems to have detected my non-common 
/home and made the necessary addition, but appended to a commented out example.

I added line /mnt/home/ and tried to restart apparmor.service.  This failed with 
error messages such as

Sep 18 12:08:33 titan apparmor.systemd[5150]: AppArmor parser error for
 /etc/apparmor.d/lsb_release in /etc/apparmor.d/tunables/multiarch at line 13:
 syntax error
Sep 18 12:08:33 titan apparmor.systemd[5154]: AppArmor parser error for
 /etc/apparmor.d/nvidia_modprobe in /etc/apparmor.d/tunables/multiarch at line
 13: syntax error

So I tried replacing @{HOMEDIRS}=/home/ with @{HOMEDIRS}=/mnt/home/ in file 
/etc/apparmor.d/tunables/home

I restarted apparmor.service and some light testing shows that the problem is 
solved.

My error in site.local was probably to have added /mnt/home and not 
@{HOMEDIRS}+=/mnt/home

Thanks to all who responded!  Roger