github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #6345] yelp: cannot open man pages #3245

New issue
Open
opened 2026-05-05 09:51:11 -06:00 by gitea-mirror · 9 comments
gitea-mirror commented 2026-05-05 09:51:11 -06:00
Owner
Copy link

Originally created by @Rosika2 on GitHub (May 17, 2024).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6345

Info:

OS: Linux Lite 6.2
firejail version: 0.9.72

Hi all, 👋

I just noticed there´s a yelp.profile available for firejail.

yelp provides an interesting alternative for viewing man pages. However the command (example):
firejail yelp man:ls didn´t provide the results as expected.

The yelp GUI opened up but couldn´t access the respective file. It said:
"Document not found. The URI ´man:ls´ does not point to a valid page." 😞

However: the command firejail --noprofile yelp man:ls worked well. The man pages for ls were flawlessly displayed in the yelp GUI. That was just for experimental reasons, of course.

I already copied the the yelp.profile to ~/.config/firejail in order to change (some of) the options stored therein but frankly I don´t know where to start.
Surely the profile needs some modification.

Thanks a lot for your help in advance.

Many greetings from Rosika 🙂

P.S.:

the terminal´s output was:

firejail yelp man:ls
Reading profile /home/rosika/.config/firejail/yelp.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 33840, child pid 33843
5 programs installed in 10.26 ms
Warning: skipping asound.conf for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping drirc for private /etc
Warning: skipping gcrypt for private /etc
Warning: skipping man_db.conf for private /etc
Private /etc installed in 32.14 ms
Private /usr/etc installed in 0.00 ms
Warning: not mounting tmpfs on /home/rosika/.config/pulse
Child process initialized in 188.24 ms
Gtk-Message: 14:58:49.752: Failed to load module "xapp-gtk3-module"

(yelp:31): dbind-WARNING **: 14:58:49.813: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus_0: No such file or directory
Gtk-Message: 14:58:50.120: Failed to load module "xapp-gtk3-module"

** (WebKitWebProcess:54): WARNING **: 14:58:50.355: Can't connect to a11y bus: Could not connect: No such file or directory

Parent is shutting down, bye...
Originally created by @Rosika2 on GitHub (May 17, 2024). Original GitHub issue: https://github.com/netblue30/firejail/issues/6345 Info: OS: Linux Lite 6.2 firejail version: 0.9.72 Hi all, :wave: I just noticed there´s a `yelp.profile` available for firejail. `yelp` provides an interesting alternative for viewing man pages. However the command (example): `firejail yelp man:ls` didn´t provide the results as expected. The yelp GUI opened up but couldn´t access the respective file. It said: "Document not found. The URI ´man:ls´ does not point to a valid page." :disappointed: However: the command `firejail --noprofile yelp man:ls` worked well. The man pages for `ls` were flawlessly displayed in the yelp GUI. That was just for experimental reasons, of course. I already copied the the `yelp.profile` to `~/.config/firejail` in order to change (some of) the options stored therein but frankly I don´t know where to start. Surely the profile needs some modification. Thanks a lot for your help in advance. Many greetings from Rosika :slightly_smiling_face: P.S.: the terminal´s output was: ``` firejail yelp man:ls Reading profile /home/rosika/.config/firejail/yelp.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 33840, child pid 33843 5 programs installed in 10.26 ms Warning: skipping asound.conf for private /etc Warning: skipping crypto-policies for private /etc Warning: skipping drirc for private /etc Warning: skipping gcrypt for private /etc Warning: skipping man_db.conf for private /etc Private /etc installed in 32.14 ms Private /usr/etc installed in 0.00 ms Warning: not mounting tmpfs on /home/rosika/.config/pulse Child process initialized in 188.24 ms Gtk-Message: 14:58:49.752: Failed to load module "xapp-gtk3-module" (yelp:31): dbind-WARNING **: 14:58:49.813: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus_0: No such file or directory Gtk-Message: 14:58:50.120: Failed to load module "xapp-gtk3-module" ** (WebKitWebProcess:54): WARNING **: 14:58:50.355: Can't connect to a11y bus: Could not connect: No such file or directory Parent is shutting down, bye... ```
gitea-mirror commented 2026-05-05 09:51:14 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (May 17, 2024):

OS: Linux Lite 6.2

The yelp.profile assumes man pages are located under /usr/share/man and whitelists that path accordingly. Does Linux Lite store these in the same location? If not you will need to whitelist the path it uses.

HTH

<!-- gh-comment-id:2117989910 --> @ghost commented on GitHub (May 17, 2024): > OS: Linux Lite 6.2 The yelp.profile assumes man pages are located under `/usr/share/man` and whitelists that path accordingly. Does `Linux Lite` store these in the same location? If not you will need to whitelist the path it uses. HTH
gitea-mirror commented 2026-05-05 09:51:15 -06:00
Author
Owner
Copy link

@Rosika2 commented on GitHub (May 18, 2024):

Hi @glitsj16, 👋

thanks for your reply.

/usr/share/man and whitelists that path accordingly. Does Linux Lite store these in the same location?

In fact it does. I looked it up. Nothing unusual here, it seems.

Seems curious. I don´t know why yelp.profile wouldn´t work then. 🤔

Still: thanks a lot and many greetings from Rosika 🙂

<!-- gh-comment-id:2118807324 --> @Rosika2 commented on GitHub (May 18, 2024): Hi @glitsj16, :wave: thanks for your reply. > /usr/share/man and whitelists that path accordingly. Does Linux Lite store these in the same location? In fact it does. I looked it up. Nothing unusual here, it seems. Seems curious. I don´t know why `yelp.profile` wouldn´t work then. :thinking: Still: thanks a lot and many greetings from Rosika :slightly_smiling_face:
gitea-mirror commented 2026-05-05 09:51:16 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (May 18, 2024):

In fact it does. I looked it up. Nothing unusual here, it seems.

Ah well, that would have been too easy. So that leaves the manual trial and error routine. Try commenting all the include disable-foo.inc lines, private-bin and private-tmp and hopefully that can identify the culprit(s). Work your way up from there and post your observations so we can assist. There's also our IRC channel.

Enjoy your weekend.

<!-- gh-comment-id:2118810582 --> @ghost commented on GitHub (May 18, 2024): > In fact it does. I looked it up. Nothing unusual here, it seems. Ah well, that would have been too easy. So that leaves the manual trial and error routine. Try commenting all the `include disable-foo.inc` lines, `private-bin` and `private-tmp` and hopefully that can identify the culprit(s). Work your way up from there and post your observations so we can assist. There's also our [IRC channel](https://web.libera.chat/#firejail). Enjoy your weekend.
gitea-mirror commented 2026-05-05 09:51:16 -06:00
Author
Owner
Copy link

@Rosika2 commented on GitHub (May 18, 2024):

Hi @glitsj16, 👋

thanks for your reply.

O.K., I´ll try to follow the path you suggested.
As soon as I come up with anything substantial (perhaps even a soultion) I´ll post it here.

In the meantime: goodybe and have a nice weekend as well.

Cheers from Rosika 🙂

P.S.:

Thanks also for the hint regarding the IRC channel.

<!-- gh-comment-id:2118825892 --> @Rosika2 commented on GitHub (May 18, 2024): Hi @glitsj16, :wave: thanks for your reply. O.K., I´ll try to follow the path you suggested. As soon as I come up with anything substantial (perhaps even a soultion) I´ll post it here. In the meantime: goodybe and have a nice weekend as well. Cheers from Rosika :slightly_smiling_face: P.S.: Thanks also for the hint regarding the IRC channel.
gitea-mirror commented 2026-05-05 09:51:17 -06:00
Author
Owner
Copy link

@Rosika2 commented on GitHub (May 18, 2024):

Hi again @glitsj16, 👋

I tried what you suggested but those ones weren´t the culprit.
I tried some options more and found out that it´s line 58 which has to be commented out:

# private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml

I left everything else unchanged.
Now yelp can access the man pages within firejail. 😃

I´m just wondering: Isn´t it a bit much that gets commented out this way?
It´s just one line but affects a lot of of options... 🤔

Many greetings from Rosika 🙂

<!-- gh-comment-id:2118845377 --> @Rosika2 commented on GitHub (May 18, 2024): Hi again @glitsj16, :wave: I tried what you suggested but those ones weren´t the culprit. I tried some options more and found out that it´s line 58 which has to be commented out: ``` # private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml ``` I left everything else unchanged. Now `yelp` can access the man pages within `firejail`. :smiley: I´m just wondering: Isn´t it a bit much that gets commented out this way? It´s just one line but affects a lot of of options... :thinking: Many greetings from Rosika :slightly_smiling_face:
gitea-mirror commented 2026-05-05 09:51:18 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (May 18, 2024):

Nice find.

I'm just wondering: Isn't it a bit much that gets commented out this way?

That's correct. Ideally, now that you've determined something is missing from private-etc, the best option would be to track down what that is and add that.

With the newly introduced @groups syntax for private-etc (only in git for now) this issue could go away. But while you're on 0.9.72, try adding (some of) the below 'usual suspects' and check if that kicks yelp into working mode while maintaining a restrictive sandbox:

$ cat ~/.config/firejail/yelp.local
private-etc group,ld.so.conf,ld.so.conf.d,locale,locale.alias,locale.conf,localtime,login.defs,pango,passwd,xdg

HTH

<!-- gh-comment-id:2118852732 --> @ghost commented on GitHub (May 18, 2024): Nice find. > I'm just wondering: Isn't it a bit much that gets commented out this way? That's correct. Ideally, now that you've determined something is `missing` from `private-etc`, the best option would be to track down what that is and add that. With the newly introduced @groups syntax for private-etc (only in git for now) this issue could go away. But while you're on `0.9.72`, try adding (some of) the below 'usual suspects' and check if that kicks yelp into working mode while maintaining a restrictive sandbox: ```sh $ cat ~/.config/firejail/yelp.local private-etc group,ld.so.conf,ld.so.conf.d,locale,locale.alias,locale.conf,localtime,login.defs,pango,passwd,xdg ``` HTH
gitea-mirror commented 2026-05-05 09:51:19 -06:00
Author
Owner
Copy link

@Rosika2 commented on GitHub (May 19, 2024):

Hi @glitsj16, 👋

I followed your suggestion and I did it this way:
In yelp.local I erased one entry at a time, e.g. group, ld.so.conf etc.

But yelp didn´t work, no matter which of the entries I kicked out.

While commenting out the complete line with all of it´s entries works it must be a combination of 2 or more entries then. 🤔

Seems hard to find out the culprits.
For the time being it seems commenting out the line completely is mandatory.

Thanks again and many greetings from Rosika 🙂

<!-- gh-comment-id:2119271345 --> @Rosika2 commented on GitHub (May 19, 2024): Hi @glitsj16, :wave: I followed your suggestion and I did it this way: In `yelp.local` I erased one entry at a time, e.g. `group`, `ld.so.conf` etc. But yelp didn´t work, no matter which of the entries I kicked out. While commenting out the complete line with all of it´s entries works it must be a combination of 2 or more entries then. :thinking: Seems hard to find out the culprits. For the time being it seems commenting out the line completely is mandatory. Thanks again and many greetings from Rosika :slightly_smiling_face:
gitea-mirror commented 2026-05-05 09:51:19 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (May 19, 2024):

Seems hard to find out the culprits.

Agreed, that can become a rabbit-hole. And it's not 'insecure' without private-etc. Your OS and yourself are still there to protect sensitive things under /etc too. As I've mentioned, for me on firejail-git (with the refactored private-etc etcetera) yelp works fine. So let's hope it's only a matter of time before 0.9.74 reaches you and things sort themselves out :)

Thanks for your response. We'll keep this open for now.

<!-- gh-comment-id:2119276595 --> @ghost commented on GitHub (May 19, 2024): > Seems hard to find out the culprits. Agreed, that can become a rabbit-hole. And it's not 'insecure' without private-etc. Your OS and yourself are still there to protect sensitive things under /etc too. As I've mentioned, for me on firejail-git (with the refactored private-etc etcetera) yelp works fine. So let's hope it's only a matter of time before 0.9.74 reaches you and things sort themselves out :) Thanks for your response. We'll keep this open for now.
gitea-mirror commented 2026-05-05 09:51:19 -06:00
Author
Owner
Copy link

@Rosika2 commented on GitHub (May 19, 2024):

@glitsj16, 👋

thanks so much for your feedback.

And it's not 'insecure' without private-etc.

That´s good to know.

I might still follow some kind of "gradual reintroduction" approach:

Instead of removing one entry at a time, I could try gradually reintroducing entries back into yelp.local and testing yelp after each addition. This might help identify which specific combination of entries causes the problem.

Just an idea. Not sure if it will lead to anything. 😉

In the meantime: thanks again and have nice Sunday.
Cheers from Rosika 🙂

<!-- gh-comment-id:2119279330 --> @Rosika2 commented on GitHub (May 19, 2024): @glitsj16, :wave: thanks so much for your feedback. > And it's not 'insecure' without private-etc. That´s good to know. I might still follow some kind of "gradual reintroduction" approach: Instead of removing one entry at a time, I could try gradually reintroducing entries back into `yelp.local` and testing yelp after each addition. This might help identify which specific combination of entries causes the problem. Just an idea. Not sure if it will lead to anything. :wink: In the meantime: thanks again and have nice Sunday. Cheers from Rosika :slightly_smiling_face:
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3245
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?