AppArmor rules for CUPS seems to be too restrictive
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
cupsys (Ubuntu) |
Fix Released
|
Undecided
|
Martin Pitt |
Bug Description
Binary package hint: cupsys
Seems that the AppArmor rules for CUPS are too restrictive:
$ tail /var/log/syslog
Aug 16 18:05:41 laotse kernel: [ 4350.136178] audit(118728034
Aug 16 18:07:07 laotse kernel: [ 4435.343839] audit(118728042
Aug 16 18:07:07 laotse kernel: [ 4435.345857] audit(118728042
Aug 16 18:07:07 laotse kernel: [ 4435.348943] audit(118728042
Aug 16 18:07:07 laotse kernel: [ 4435.350137] audit(118728042
After adding this lines to /etc/apparmor.
/etc/papersize r,
/usr/bin/printf ixr,
/bin/cat ixr,
/usr/bin/env ixr,
/usr/bin/
Im using a Kyrocera FS-1010 (PostScript Laser Printer).
description: | updated |
Changed in apparmor: | |
status: | New → Confirmed |
Changed in cupsys: | |
status: | New → Confirmed |
description: | updated |
description: | updated |
I see some errors as well, though I think it is perfectly reasonable to prevent cups from accessing these:
Aug 16 15:55:15 localhost kernel: [11674.312000] audit(118727611 5.276:13) : REJECTING access to capability 'dac_override' (cupsd(11088) profile /usr/sbin/cupsd active /usr/sbin/cupsd) 5.276:14) : REJECTING access to capability 'dac_read_search' (cupsd(11088) profile /usr/sbin/cupsd active /usr/sbin/cupsd) 7.776:15) : REJECTING w access to /etc/printcap (cupsd(11088) profile /usr/sbin/cupsd active /usr/sbin/cupsd) 8.276:16) : REJECTING w access to /dev/tty (cupsd(11088) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Aug 16 15:55:15 localhost kernel: [11674.312000] audit(118727611
Aug 16 15:55:18 localhost kernel: [11676.852000] audit(118727611
Aug 16 15:55:18 localhost kernel: [11677.248000] audit(118727611