[GH-ISSUE #4187] Issue with printing evince

gitea-mirror commented

2026-05-05 09:14:42 -06:00

Owner

Originally created by @Tus1688 on GitHub (Apr 13, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4187

I'm sorry that this issue likely same as issue #2101, I used ubuntu 20.04 and there is preconfigured app armor, I am curious that when I open evince via firefox, It shows lists of my printer machines, but when I open evince normally, I don't see it though.

it doesn't show printer lists when I do firejail --noprofile evince but, it is working normally when I reset the sandbox using sudo firecfg --clean

I commented nodbus and it doesn't show any differences. I wonder, if there is a way to solve this problem. Thanks in advance.

Originally created by @Tus1688 on GitHub (Apr 13, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4187 I'm sorry that this issue likely same as issue [#2101](url), I used ubuntu 20.04 and there is preconfigured app armor, I am curious that when I open evince via firefox, It shows lists of my printer machines, but when I open evince normally, I don't see it though. it doesn't show printer lists when I do `firejail --noprofile evince` but, it is working normally when I reset the sandbox using `sudo firecfg --clean` I commented `nodbus` and it doesn't show any differences. I wonder, if there is a way to solve this problem. Thanks in advance.

gitea-mirror closed this issue

2026-05-05 09:14:43 -06:00

gitea-mirror commented

2026-05-05 09:14:45 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 13, 2021):

Try this:

include allow-bin-sh.inc
private-bin sh

@rusty-snake commented on GitHub (Apr 13, 2021): Try this: ``` include allow-bin-sh.inc private-bin sh ```

gitea-mirror commented

2026-05-05 09:14:46 -06:00

Author

Owner

@ghost commented on GitHub (Apr 13, 2021):

I commented nodbus ...

Side-note: what version of firejail are you running? The nodbus option has been deprecated. If your version is older than 0.9.64.4 you might be vulnerable to CVE-2021-26910, so it's worthwhile to double-check that.

@ghost commented on GitHub (Apr 13, 2021): > I commented nodbus ... Side-note: what version of firejail are you running? The `nodbus` option has been deprecated. If your version is older than 0.9.64.4 you might be vulnerable to [CVE-2021-26910](https://github.com/netblue30/firejail#security-vulnerabilities), so it's worthwhile to double-check that.

gitea-mirror commented

2026-05-05 09:14:46 -06:00

Author

Owner

@Tus1688 commented on GitHub (Apr 14, 2021):

thank you for your reply
I put this on ~/.config/firejail
include allow-bin-sh.inc private-bin sh
It doesn't work. When I checked /etc/firejail/ there is no allow-bin-sh.inc
I am running version 0.9.62, and I have made the nodbus options as it supposed before.

@Tus1688 commented on GitHub (Apr 14, 2021): thank you for your reply I put this on ~/.config/firejail `include allow-bin-sh.inc private-bin sh ` It doesn't work. When I checked /etc/firejail/ there is no `allow-bin-sh.inc` I am running version 0.9.62, and I have made the nodbus options as it supposed before.

gitea-mirror commented

2026-05-05 09:14:47 -06:00

Author

Owner

@Tus1688 commented on GitHub (Apr 14, 2021):

I have (edit: deleted) include allow-bin-sh.inc and private-bin sh here is the snippets from terminal when I tried to open printers window
`* (evince:224): WARNING **: 03:45:02.373: Could not connect: Permission denied

** (evince:224): WARNING **: 03:45:02.373: Couldn't connect to D-Bus system bus, Could not connect: Permission denied`

@Tus1688 commented on GitHub (Apr 14, 2021): I have (edit: deleted) `include allow-bin-sh.inc` and `private-bin sh ` here is the snippets from terminal when I tried to open printers window `* (evince:224): WARNING **: 03:45:02.373: Could not connect: Permission denied ** (evince:224): WARNING **: 03:45:02.373: Couldn't connect to D-Bus system bus, Could not connect: Permission denied`

gitea-mirror commented

2026-05-05 09:14:48 -06:00

Author

Owner

@ghost commented on GitHub (Apr 14, 2021):

I am running version 0.9.62, and I have made the nodbus options as it supposed before.

Please upgrade your firejail package as soon as possible. As mentioned above 0.9.62 is vulnerable to CVE-2021-26910. Also, important improvements have been made with regards to D-Bus filtering, which seems to be (part of) the issue you're experiencing. You can use this PPA maintained by one of our collaborators. Follow the instructions on the Launchpad page to add the PPA and upgrade firejail. To get the best D-Bus supprt with Firejail it's important to also install xdg-dbus-proxy via your package manager.

I do realize this is not a straightforward 'do this to fix your issue', but we need to get you on the latest firejail release first. It could be that the issue with evince resolves itself or not. We'll get to that once you can confirm running 0.9.64.4.

@ghost commented on GitHub (Apr 14, 2021): > I am running version 0.9.62, and I have made the nodbus options as it supposed before. Please upgrade your firejail package as soon as possible. As mentioned above 0.9.62 is vulnerable to [CVE-2021-26910](https://github.com/netblue30/firejail#security-vulnerabilities). Also, important improvements have been made with regards to D-Bus filtering, which seems to be (part of) the issue you're experiencing. You can use [this PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail) maintained by one of our collaborators. Follow the instructions on the Launchpad page to add the PPA and upgrade firejail. To get the best D-Bus supprt with Firejail it's important to also install `xdg-dbus-proxy` via your package manager. I do realize this is not a straightforward 'do this to fix your issue', but we need to get you on the latest firejail release first. It could be that the issue with evince resolves itself or not. We'll get to that once you can confirm running 0.9.64.4.

gitea-mirror commented

2026-05-05 09:14:49 -06:00

Author

Owner

@Tus1688 commented on GitHub (Apr 14, 2021):

Hi, thank you for your reply, I did upgrade the firejail and add include allow-bin-sh.inc and private-bin sh in .config/firejail, unfortunately it doens't work though, I mean I can open evince, but I can't see the printer options, then I decided to remove envince.profile in .config/firejail, and put include allow-bin-sh.inc and private-bin sh in evince.profile in /etc/firejail . Unfortunately,I notice same thing.
But, When I typed firejail evince it show:
** (evince:229): WARNING **: 05:00:45.504: Couldn't connect to D-Bus system bus, Could not connect: Permission denied

** (evince:229): WARNING **: 05:00:45.509: failed to contact colord: Could not connect: Permission denied

the printers options show up there, I triend to remove the sandbox using sudo firecfg --clean and configure it again then relog. I had the same issue by open evince normally (without typing firejail evince)

@Tus1688 commented on GitHub (Apr 14, 2021): Hi, thank you for your reply, I did upgrade the firejail and add `include allow-bin-sh.inc` and `private-bin sh` in `.config/firejail`, unfortunately it doens't work though, I mean I can open evince, but I can't see the printer options, then I decided to remove envince.profile in `.config/firejail`, and put `include allow-bin-sh.inc` and `private-bin sh` in evince.profile in /etc/firejail . Unfortunately,I notice same thing. But, When I typed `firejail evince` it show: ** (evince:229): WARNING **: 05:00:45.504: Couldn't connect to D-Bus system bus, Could not connect: Permission denied ** (evince:229): WARNING **: 05:00:45.509: failed to contact colord: Could not connect: Permission denied the printers options show up there, I triend to remove the sandbox using `sudo firecfg --clean` and configure it again then relog. I had the same issue by open evince normally (without typing `firejail evince`)

gitea-mirror commented

2026-05-05 09:14:49 -06:00

Author

Owner

@ghost commented on GitHub (Apr 14, 2021):

Okay, nice to read you've upgraded!

** (evince:229): WARNING **: 05:00:45.504: Couldn't connect to D-Bus system bus, Could not connect: Permission denied
** (evince:229): WARNING **: 05:00:45.509: failed to contact colord: Could not connect: Permission denied

Those are warnings about the D-Bus system bus, not the session bus. Access to the system bus is blocked in our evince.profile via the dbus-system none option by design. It hardens the profile, and I wouldn't recommend changing that.

Now, what confuses me is that you mention seeing Evince's Print window when you use it via Firefox, but not when you run it directly. Correct? I cannot reproduce that on my box. But I'm pretty sure those warnings about the system bus are not related and can be ignored.

... then I decided to remove envince.profile in .config/firejail, and put include allow-bin-sh.inc and private-bin sh in evince.profile in /etc/firejail.

That is not the proper way to do persistent overrides. As the first lines in that file mention, any changes you make in /etc/firejail/evince.profile will get lost on a firejail upgrade/reinstall. Make your edits in evince.local instead, either in /etc/firejail (used for all users) or in ~/.config/firejail (for your user only).

But, When I typed firejail evince ... the printers options show up there

That's what you want, no? Unless something like network printing is involved I'm just not fully understanding what you've been doing/trying to achieve. I'm sure that's a communication mixup. Perhaps you can upload a 'working' versus 'not working' screenshot somewhere to get things more clear?

@ghost commented on GitHub (Apr 14, 2021): Okay, nice to read you've upgraded! > ** (evince:229): WARNING **: 05:00:45.504: Couldn't connect to D-Bus system bus, Could not connect: Permission denied ** (evince:229): WARNING **: 05:00:45.509: failed to contact colord: Could not connect: Permission denied Those are warnings about the D-Bus `system` bus, not the _session_ bus. Access to the system bus is blocked in our evince.profile via the `dbus-system none` option by design. It hardens the profile, and I wouldn't recommend changing that. Now, what confuses me is that you mention seeing Evince's _Print_ window when you use it via Firefox, but not when you run it directly. Correct? I cannot reproduce that on my box. But I'm pretty sure those warnings about the system bus are not related and can be ignored. > ... then I decided to remove envince.profile in .config/firejail, and put include allow-bin-sh.inc and private-bin sh in evince.profile in /etc/firejail. That is not the proper way to do persistent overrides. As the first lines in that file mention, any changes you make in /etc/firejail/evince.profile will get lost on a firejail upgrade/reinstall. Make your edits in evince.local instead, either in /etc/firejail (used for all users) or in ~/.config/firejail (for your user only). > But, When I typed firejail evince ... the printers options show up there That's what you want, no? Unless something like network printing is involved I'm just not fully understanding what you've been doing/trying to achieve. I'm sure that's a communication mixup. Perhaps you can upload a 'working' versus 'not working' screenshot somewhere to get things more clear?

gitea-mirror commented

2026-05-05 09:14:49 -06:00

Author

Owner

@Tus1688 commented on GitHub (Apr 14, 2021):

I am sorry for the confusion as english is not my native language

method 1 (open evince using firefox by typing file:///)

method 2 (open evince using terminal firejail evince)

method 3 (open evince normally)

I want to print using method number 3
thank you

@Tus1688 commented on GitHub (Apr 14, 2021): I am sorry for the confusion as english is not my native language method 1 (open evince using firefox by typing file:///) ![1](https://user-images.githubusercontent.com/76937231/114663987-4dd3a980-9d25-11eb-999e-f04d9f24defe.png) method 2 (open evince using terminal `firejail evince`) ![2](https://user-images.githubusercontent.com/76937231/114664448-e833ed00-9d25-11eb-8280-962adce9ef45.png) method 3 (open evince normally) ![3](https://user-images.githubusercontent.com/76937231/114664660-35b05a00-9d26-11eb-913f-14ee5ba6e6ac.png) I want to print using method number 3 thank you

gitea-mirror commented

2026-05-05 09:14:50 -06:00

Author

Owner

@ghost commented on GitHub (Apr 14, 2021):

Thanks for the images, they do help 👍.

I didn't notice it at first, but the link to #2101 didn't work for me earlier and there's where I got side-tracked and added confusion of my own heh. My apologies. GitHub decided to turn that into https://github.com/netblue30/firejail/issues/url for some reason and I completely missed the firecfg connection. Only now I actually get what you mean and I believe #3831 is relevant for you in this context.

You could try firecfg.py, writtenby our collaborator-and-local-firejail-wizard @rusty-snake. Or you can adapt something I proposed here a while ago. But that's more suited for Arch Linux (based) systems in all fairness. Sadly I don't know much about apt/dpkg to quickly give you a similar procedure for Ubuntu.

HTH

@ghost commented on GitHub (Apr 14, 2021): Thanks for the images, they do help :+1:. I didn't notice it at first, but the link to #2101 didn't work for me earlier and there's where I got side-tracked and added confusion of my own heh. My apologies. GitHub decided to turn that into https://github.com/netblue30/firejail/issues/url for some reason and I completely missed the `firecfg` connection. Only now I actually get what you mean and I believe #3831 is relevant for you in this context. You could try [firecfg.py](https://github.com/rusty-snake/firecfg.py), writtenby our collaborator-and-local-firejail-wizard @rusty-snake. Or you can adapt something I proposed [here](https://github.com/netblue30/firejail/issues/3016#issuecomment-547252596) a while ago. But that's more suited for Arch Linux (based) systems in all fairness. Sadly I don't know much about apt/dpkg to quickly give you a similar procedure for Ubuntu. HTH

gitea-mirror commented

2026-05-05 09:14:50 -06:00

Author

Owner

@Tus1688 commented on GitHub (Apr 14, 2021):

Thanks for the images, they do help +1.

I didn't notice it at first, but the link to #2101 didn't work for me earlier and there's where I got side-tracked and added confusion of my own heh. My apologies. GitHub decided to turn that into https://github.com/netblue30/firejail/issues/url for some reason and I completely missed the firecfg connection. Only now I actually get what you mean and I believe #3831 is relevant for you in this context.

You could try firecfg.py, writtenby our collaborator-and-local-firejail-wizard @rusty-snake. Or you can adapt something I proposed here a while ago. But that's more suited for Arch Linux (based) systems in all fairness. Sadly I don't know much about apt/dpkg to quickly give you a similar procedure for Ubuntu.

HTH

thank you for your reply, after I disabled app armor, it is working 👍

@Tus1688 commented on GitHub (Apr 14, 2021): > Thanks for the images, they do help +1. > > I didn't notice it at first, but the link to #2101 didn't work for me earlier and there's where I got side-tracked and added confusion of my own heh. My apologies. GitHub decided to turn that into https://github.com/netblue30/firejail/issues/url for some reason and I completely missed the `firecfg` connection. Only now I actually get what you mean and I believe #3831 is relevant for you in this context. > > You could try [firecfg.py](https://github.com/rusty-snake/firecfg.py), writtenby our collaborator-and-local-firejail-wizard @rusty-snake. Or you can adapt something I proposed [here](https://github.com/netblue30/firejail/issues/3016#issuecomment-547252596) a while ago. But that's more suited for Arch Linux (based) systems in all fairness. Sadly I don't know much about apt/dpkg to quickly give you a similar procedure for Ubuntu. > > HTH thank you for your reply, after I disabled app armor, it is working :+1:

gitea-mirror referenced this issue

2026-05-05 10:19:44 -06:00

[PR #2572] [MERGED] Fix and harden meld #4417

Rows
Columns

[GH-ISSUE #4187] Issue with printing evince #2572