Binary package hint: cupsys
When I run cupsd in a Xen dom0 VM (linux-image-2.6.22-13-xen: 2.6.22-13.40, xen-hypervisor-3.1: 3.1.0-0ubuntu16, cupsys: 1.3.2-1ubuntu5), cupsd crashes at startup because of Apparmor profile problems on Xen-friendly TLS libraries:
Oct 7 18:34:34 localhost kernel: [ 4247.112264] audit(1191778474.564:93): type=1503 operation="inode_permission" requested_mask="r" denied_mask="r" name="/lib/tls/i686/nosegneg/libpthread-2.6.1.so" pid=24842 profile="/usr/sbin/cupsd"
Oct 7 18:34:34 localhost kernel: [ 4247.113455] audit(1191778474.564:94): type=1503 operation="inode_permission" requested_mask="r" denied_mask="r" name="/lib/tls/i686/nosegneg/libc-2.6.1.so" pid=24842 profile="/usr/sbin/cupsd"
Oct 7 18:34:34 localhost kernel: [ 4247.117169] audit(1191778474.568:95): type=1503 operation="inode_permission" requested_mask="r" denied_mask="r" name="/lib/tls/i686/nosegneg/libnsl-2.6.1.so" pid=24842 profile="/usr/sbin/cupsd"
Oct 7 18:34:34 localhost kernel: [ 4247.118140] audit(1191778474.568:96): type=1503 operation="inode_permission" requested_mask="r" denied_mask="r" name="/lib/tls/i686/nosegneg/libresolv-2.6.1.so" pid=24842 profile="/usr/sbin/cupsd"
Oct 7 18:34:34 localhost kernel: [ 4247.119107] audit(1191778474.568:97): type=1503 operation="inode_permission" requested_mask="r" denied_mask="r" name="/lib/tls/i686/nosegneg/libdl-2.6.1.so" pid=24842 profile="/usr/sbin/cupsd"
Oct 7 18:34:34 localhost kernel: [ 4247.120725] audit(1191778474.572:98): type=1503 operation="inode_permission" requested_mask="r" denied_mask="r" name="/lib/tls/i686/nosegneg/libcrypt-2.6.1.so" pid=24842 profile="/usr/sbin/cupsd"
Oct 7 18:34:34 localhost kernel: [ 4247.122042] audit(1191778474.572:99): type=1503 operation="inode_permission" requested_mask="r" denied_mask="r" name="/lib/tls/i686/nosegneg/libm-2.6.1.so" pid=24842 profile="/usr/sbin/cupsd"
Oct 7 18:34:34 localhost kernel: [ 4247.130941] audit(1191778474.580:100): type=1503 operation="inode_permission" requested_mask="r" denied_mask="r" name="/lib/tls/i686/nosegneg/libnss_files-2.6.1.so" pid=24843 profile="/usr/sbin/cupsd"
Oct 7 18:34:34 localhost kernel: [ 4247.133410] audit(1191778474.584:101): type=1503 operation="inode_permission" requested_mask="r" denied_mask="r" name="/lib/tls/i686/nosegneg/libnss_compat-2.6.1.so" pid=24843 profile="/usr/sbin/cupsd"
Oct 7 18:34:34 localhost kernel: [ 4247.134716] audit(1191778474.584:102): type=1503 operation="inode_permission" requested_mask="r" denied_mask="r" name="/lib/tls/i686/nosegneg/libnss_nis-2.6.1.so" pid=24843 profile="/usr/sbin/cupsd"
I resolved this by adding
/lib/tls/** rm,
to /etc/apparmor.d/usr.sbin.cupsd
I think it should be better fixed in /etc/apparmor. d/abstractions/ base than in/etc/ apparmor. d/usr.sbin. cupsd, as the former file contains
/lib/ tls/i686/ cmov/ld- *.so mrix, tls/i686/ cmov/lib* .so* mr, tls/i686/ cmov/lib* .so* mr,
/lib/
/lib/
Replacing these three by
/lib/ tls/i686/ */ld-*. so mrix, tls/i686/ */lib*. so* mr, tls/i686/ */lib*. so* mr,
/lib/
/lib/
This will fix the problem for all programs, not only for CUPS.
Moving bug to apparmor