AppArmor denying Thunderbird/Enigmail from executing Split-GPG on Whonix

63 views
Skip to first unread message

hccampbell

unread,
Apr 24, 2017, 2:36:44 AM4/24/17
to qubes-users
I'm currently getting an AppArmor error like this whenever I view a
message in Thunderbird in a Whonix VM:

Apr 22 13:34:51 host kernel: [ 2477.096917] audit: type=1400
audit(1492868091.674:16): apparmor="DENIED" operation="exec"
profile="thunderbird" name="/usr/bin/qubes-gpg-client-wrapper" pid=2846
comm="thunderbird" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

This is accompanied by the following errors in Enigmail:

Enigmail initialization failed.

You are using GnuPG version , which is not up to date anymore.
Enigmail recommends GnuPG version 2.0 or newer; please upgrade your
GnuPG installation, or Enigmail will not work.

Enigmail: Error in accessing Enigmail service

In order to use Enigmail, GnuPG is required. If you did not install
GnuPG yet, the easiest way to do this is using the "Setup Wizard" button
below.

Enigmail is configured to use Qubes Split-GPG. It appears that this
error started occurring when Icedove was renamed to Thunderbird in Debian.

I asked on the Whonix forum, and Patrick suggested that I also post on
the qubes-users mailing list. The Whonix forum thread is at
https://forums.whonix.org/t/thunderbird-enigmail-denied-executing-split-gpg/3796
.

Thanks.

cooloutac

unread,
Apr 24, 2017, 11:40:14 AM4/24/17
to qubes-users, hccam...@cock.li

you would probably need to ask debian or apparmor on their forums or irc. #apparmor is on oftc network, #debian is on freenode.

Have you tried adding that path to the thunderbird profile? I guess it would need read write execution permisions? You would probably want to do it the most secure way though and I'm no expert.

I know I have to do something similar for hexchat certificate files every now and then. After I compare the key online I have to add the path to the profile and give it an r, at the end. In your case you will also need execute so rx, at least. See if there is other /usr/bin lines in the profile to compare.

Then after you save the new profile in terminal aa-disable the profile and aa-enable it and see if you get any errors or see if it works.

cooloutac

unread,
Apr 24, 2017, 11:54:49 AM4/24/17
to qubes-users, hccam...@cock.li
http://wiki.apparmor.net/index.php/QuickProfileLanguage

You can try adding /usr/bin/qubes-gpg-client-wrapper Uxr,

and see what happens. The gpg stuff might be more complicated then that though. You can also ask the guy who made your profile.

cooloutac

unread,
Apr 24, 2017, 12:14:06 PM4/24/17
to qubes-users, hccam...@cock.li

I put wrong command its aa-enforce *not enable.

Also I believe where you put the line in the profile matters try put it high up.

Nuno Branco

unread,
Apr 26, 2017, 10:39:27 AM4/26/17
to qubes...@googlegroups.com
I had problems with enigmail and split GPG before and the only
workaround I found was downgrading it to 1.8.2
Reply all
Reply to author
Forward
0 new messages