Bug#1127671: "WARNING: Glycin running without sandbox" when AppArmor profile doesn't allow the sandbox to work

Rene Engelhard rene at debian.org
Sat Mar 14 21:30:10 GMT 2026 

Hi,

Am 06.03.26 01:55, schrieb Carlos Silva:
> Is there any news on this?
> 
> I know that
> sudo aa-disable /etc/apparmor.d/libreoffice-*
> 
> Would make the warning go away.

I wonder why.

libreoffice-soffice(.bin) is in complain mode.

Interestingly, the (somehow implied?) glycin stuff added. And some of
those even gets into enforced automatically?

grep -E '(mode|libreoff)' gives me:

36 profiles are in enforce mode.
   libreoffice-senddoc
   libreoffice-soffice//gpg
   libreoffice-xpdfimport
28 profiles are in complain mode.
   libreoffice-oosplash
   libreoffice-soffice
   libreoffice-soffice//null-/usr/bin/bwrap
   libreoffice-soffice//null-/usr/libexec/glycin-loaders/2+/glycin-image-rs
   libreoffice-soffice//null-/usr/libexec/glycin-loaders/2+/glycin-svg
0 profiles are in prompt mode.
0 profiles are in kill mode.
76 profiles are in unconfined mode.
2 processes are in enforce mode.
6 processes are in complain mode.
   /usr/lib/libreoffice/program/oosplash (19996) libreoffice-oosplash
   /usr/lib/libreoffice/program/soffice.bin (20006) libreoffice-soffice
   /usr/libexec/glycin-loaders/2+/glycin-image-rs (19770) libreoffice-soffice//null-/usr/libexec/glycin-loaders/2+/glycin-image-rs
   /usr/libexec/glycin-loaders/2+/glycin-image-rs (19814) libreoffice-soffice//null-/usr/libexec/glycin-loaders/2+/glycin-image-rs
   /usr/libexec/glycin-loaders/2+/glycin-svg (19756) libreoffice-soffice//null-/usr/libexec/glycin-loaders/2+/glycin-svg
   /usr/libexec/glycin-loaders/2+/glycin-svg (19800) libreoffice-soffice//null-/usr/libexec/glycin-loaders/2+/glycin-svg
0 processes are in prompt mode.
0 processes are in kill mode.
0 processes are in mixed mode.

IMHO aa-disable is a bad idea for a warning.
There is a reason some profiles are kept in enforcing. Especially the gpg one...

> But is there any other way, It seems that
> the libreoffice profile needs to be updated to include glycin.

See my other mail. Could do if there is some abstraction. I am not going
to chase down what needs to be done here in a profile.

Regards,

Rene

More information about the pkg-gnome-maintainers mailing list