pixels-to-pdf failed - Githubissues

freedomofpress / dangerzone

Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs

https://dangerzone.rocks/

GNU Affero General Public License v3.0

3.58k stars 168 forks source link

pixels-to-pdf failed #781

Closed wolffi closed 5 months ago

wolffi commented 5 months ago

The first stage (doc-to-pixels) completes successfully, [doc xxxxxx] 48% Converted document to pixels. The second stage (pixels-to-pdf) stops at 0% with ERROR [doc xxxxxx] 0% Unknown error code '1'

I tried different converting different documents. The error is the same.

apyrgio commented 5 months ago

Thanks for this bug report @wolffi. Let's find out more about your environment. Can you let us know about the following:

What is your Operating System (macOS, Windows, Debian, Fedora, Qubes, etc.) and its version?
What is your Dangerzone version? It's the 0.x.y number you see when opening the app. You can also check with dangerzone-cli --version.

wolffi commented 5 months ago

This is on Fedora 38, kernel-6.8.6 and dangerzone 0.6.0. I tried the GUI as well as dangerzone-cli.

apyrgio commented 5 months ago

My money is on SELinux, we've had similar issues in the past (see https://github.com/freedomofpress/dangerzone/issues/517). Can you check:

If SELinux is in enforcing mode? You can check with sestatus.
If journalctl or /var/log/audit/audit.log have logged any SELinux policy violation?
For kicks, is your user ID 1000? Run id to check it out.

We try to play by SELinux rules when mounting directories to the container, by relabeling the temp dir with the :Z flag (see Labeling Volume Mounts in the podman-run manpage). However, we are aware that this can still fail in some configurations. This issue will be fully resolved once we merge https://github.com/freedomofpress/dangerzone/pull/748.

wolffi commented 5 months ago

SELinux is in enforcing mode, changing to permissive doesn't help.
I don't see any recent entries in journalctl nor audit.log related to SELinux policy violation (nor any other hint regarding the error of dangerzone).
My uid is NOT 1000, should I change it to 1000?

apyrgio commented 5 months ago

Yeah, that's the second known issue (see https://github.com/freedomofpress/dangerzone/issues/624) that will be fixed by #748. If it's possible to switch to the user with UID 1000, just before invoking Dangerzone (e.g., with sudo -iu <user> dangerzone), that would help. Can you give it a shot?

wolffi commented 5 months ago

Thanks @apyrgio for your help. I was able to convert the PDF using a newly created user account with UID=1000. Thanks a lot!

apyrgio commented 5 months ago

That's good to know, and hopefully we'll soon update Dangerzone so that you can use your regular user account.

If you don't have an objection, I'll now mark this issue as completed, and leave the parent issue (https://github.com/freedomofpress/dangerzone/issues/624) open. I'll add a pointer to this issue, so that other users can see this workaround. Cheers!