Apparmor prevents printing with cups-pdf

Brian, AppArmor issues are completely handled by cupsys, since it is
the daemon that does the printing and that includes those AppArmor
rules. Thus, this bug was correctly assigned to cupsys. This is NOT a
cups-pdf issue.

On Thu, Oct 9, 2008 at 2:31 AM, Brian Murray <email address hidden> wrote:
> ** Changed in: cups-pdf (Ubuntu)
> Sourcepackagename: cupsys => cups-pdf

--
Martin-Éric Racine
http://q-funk.iki.fi

Just had it happen:
cupsys:
  Installed: 1.3.9-17ubuntu3
  Candidate: 1.3.9-17ubuntu3
  Version table:
 *** 1.3.9-17ubuntu3 0
        500 http://archive.ubuntu.com jaunty-updates/universe Packages
        100 /var/lib/dpkg/status
     1.3.9-17ubuntu1 0
        500 http://archive.ubuntu.com jaunty/universe Packages
Description: Ubuntu 9.04
Release: 9.04
E [05/May/2009:16:24:02 -0500] PID 15793 (/usr/lib/cups/backend/cups-pdf) stopped with status 5!

Thank you for taking the time to report this bug and helping to make Ubuntu better. To help fix the bug, please follow the instructions found in https://wiki.ubuntu.com/DebuggingApparmor. This will greatly help us in tracking down your problem.

ApparmorStatusOutput:
 Error: command /usr/sbin/apparmor_status failed with exit code 4: You do not have enough privilege to read the profile set.
 apparmor module is loaded.
Architecture: amd64
DistroRelease: Ubuntu 9.04
NonfreeKernelModules: fglrx
Package: apparmor 2.3+1289-0ubuntu14
PackageArchitecture: amd64
ProcCmdline: root=/dev/sda3 quiet splash
ProcEnviron:
 SHELL=/bin/bash
 LANG=en_US.UTF-8
ProcVersionSignature: Ubuntu 2.6.28-11.42-generic
Uname: Linux 2.6.28-11-generic x86_64
UserGroups: adm admin audio cdrom dialout dip floppy fuse lpadmin plugdev sambashare vboxusers video

Thanks Micah. These appear to be the problem:

May 5 22:40:34 defiant kernel: [33228.304167] type=1503 audit(1241581234.818:31): operation="capable" name="dac_override" pid=4905 profile="/usr/lib/cups/backend/cups-pdf"
May 5 22:40:34 defiant kernel: [33228.304174] type=1503 audit(1241581234.818:32): operation="capable" name="dac_read_search" pid=4905 profile="/usr/lib/cups/backend/cups-pdf"

What is the value of the 'Out' directory in /etc/cups/cups-pdf.conf? Does that directory exist for your user? Is it a symlink?

Jamie Strandboge wrote:
> Thanks Micah. These appear to be the problem:
>
> May 5 22:40:34 defiant kernel: [33228.304167] type=1503 audit(1241581234.818:31): operation="capable" name="dac_override" pid=4905 profile="/usr/lib/cups/backend/cups-pdf"
> May 5 22:40:34 defiant kernel: [33228.304174] type=1503 audit(1241581234.818:32): operation="capable" name="dac_read_search" pid=4905 profile="/usr/lib/cups/backend/cups-pdf"
>
> What is the value of the 'Out' directory in /etc/cups/cups-pdf.conf?
> Does that directory exist for your user? Is it a symlink?
>
>
It exists, and it's not a symlink. The perms on the dir are 770 and
it's owned by micah:lpadmin
Perms on home dir are 700.

I am to reproduce this with the default value of 'Out ${HOME}/PDF' in /etc/cups/cups-pdf.conf with $HOME as 700.

Micah, can you add the following to /etc/apparmor.d/usr.sbin.cupsd (in the cups-pdf stanza):
  capability dac_override,

Then do:
$ cat /etc/apparmor.d/usr.sbin.cupsd | sudo apparmor_parser -r

Please confirm if this fixes the problem for you.

Jamie Strandboge wrote:
> Micah, can you add the following to /etc/apparmor.d/usr.sbin.cupsd (in the cups-pdf stanza):
> capability dac_override,
>
> Then do:
> $ cat /etc/apparmor.d/usr.sbin.cupsd | sudo apparmor_parser -r
>
> Please confirm if this fixes the problem for you.
>
Negative.

Micah Gersten wrote:
> Jamie Strandboge wrote:
>
>> Micah, can you add the following to /etc/apparmor.d/usr.sbin.cupsd (in the cups-pdf stanza):
>> capability dac_override,
>>
>> Then do:
>> $ cat /etc/apparmor.d/usr.sbin.cupsd | sudo apparmor_parser -r
>>
>> Please confirm if this fixes the problem for you.
>>
>>
> Negative.
>
>
I missed the dac_override add. After I did that, it worked.

Assigning to Martin per his request.

I really would like to avoid giving dac_override to cups-pdf. Can we improve the error message to point out that your home should rather be 701?

Martin is right, this works:
rm -fr ~/PDF && mkdir -m 701 -p ~/PDF && chmod 701 $HOME

Since there doesn't seem to be a better solution, I'll add dac_override to the profile now. The cups-pdf profile is pretty tight, so it shouldn't open up too many holes.

This bug was fixed in the package cups - 1.3.10-4

---------------
cups (1.3.10-4) unstable; urgency=low

  * Add ghostscript-cups dependency. (LP: #385606)
  * debian/control: Add back dropped comma, which led to the ssl-cert
    dependency being dropped. (Closes: #532845)
  * debian/local/apparmor-profile: Allow reading /proc/sys/crypto/**.
    (LP: #335898)
  * debian/local/apparmor-profile: Allow dac_override to cups-pdf. This is
    unfortunate, but required with some $HOME permissions; the profile is very
    tight, so this shouldn't actually considerably increase privileges.
    (LP: #224365)

 -- Martin Pitt <email address hidden> Fri, 12 Jun 2009 11:32:28 +0200

I still have this problema in Lucid. Same thing that happened when I installed Karmic.
PDF folder is already in users home dir, everything seems fine, but nothing comes out when printing PDFs.

root@phenom:/var/log/cups# tail -f cups-pdf_log
Tue May 4 17:55:06 2010 [ERROR] failed to open source stream

As soon as I stop apparmor and restart cups and samba everything starts working like it should.
I tried starting apparmor again and my system hang with LOADs of disk access, had to rebootit.

After reboot, apparmor came up again with the same problem. So I just uninstalled apparmor.

same here... I had this cups-pdf working in karmic. When I upgraded to lucid, the upgrade manager removed it. When I reinstalled, it didn't work. I tried emptying the ~/PDF directory, removing it and recreating it. No change. Purging and reinstalling didn't help. I guess I can use the print to file option and switching to PDF, but cups-pdf gave me the file name and stuck it in a directory... Bummer.

ON a clean install i still get this error.
Tried all the suggested solutions but nothing seems to work.

dmesg indicates that apparmour is still not accepting the printing.
[ 7565.200544] type=1400 audit(1359017270.893:39): apparmor="DENIED" operation="mknod" parent=5243 profile="/usr/lib/cups/backend/cups-pdf" name="/home/INTRANET/mikael/PDF/CADint_Schema.pdf" pid=5244 comm="gs" requested_mask="c" denied_mask="c" fsuid=1234700933 ouid=1234700933

Any ideas?