Ubuntu
cups package

apparmor prevents cups-pdf from reading to /var/spool/cups/

Bug #923538 reported by Simon Déziel
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
cups (Ubuntu)
Fix Released
Undecided
Martin Pitt

Bug Description

Printing a test page using the cups-pdf backend fails with this:

Jan 29 18:49:11 simon-laptop kernel: [103619.265887] type=1400 audit(1327880951.699:216): apparmor="DENIED" operation="open" parent=20117 profile="/usr/lib/cups/backend/cups-pdf" name="/var/spool/cups/d00007-001" pid=20386 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

# lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10

# apt-cache policy cups cups-pdf
cups:
  Installed: 1.5.0-8ubuntu7
  Candidate: 1.5.0-8ubuntu7
  Version table:
 *** 1.5.0-8ubuntu7 0
        500 http://archive.ubuntu.com/ubuntu/ oneiric-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     1.5.0-8ubuntu6 0
        500 http://archive.ubuntu.com/ubuntu/ oneiric-updates/main amd64 Packages
     1.5.0-8 0
        500 http://archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
cups-pdf:
  Installed: 2.5.1-7
  Candidate: 2.5.1-7
  Version table:
 *** 2.5.1-7 0
        500 http://archive.ubuntu.com/ubuntu/ oneiric/universe amd64 Packages
        100 /var/lib/dpkg/status

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: cups 1.5.0-8ubuntu7
ProcVersionSignature: Ubuntu 3.0.0-16.27-generic 3.0.17
Uname: Linux 3.0.0-16-generic x86_64
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Sun Jan 29 18:52:01 2012
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111011)
Lpstat: device for PDF: cups-pdf:/
Lsusb:
 Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
 Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
 Bus 001 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub
 Bus 002 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub
 Bus 001 Device 005: ID 17ef:480f Lenovo Integrated Webcam [R5U877]
MachineType: LENOVO 2516CTO
Papersize: letter
PpdFiles: PDF: Generic CUPS-PDF Printer
ProcEnviron:
 LANGUAGE=en_CA:en
 PATH=(custom, no user)
 LANG=en_CA.UTF-8
 SHELL=/bin/bash
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.0.0-16-generic root=/dev/mapper/crypt-root ro quiet splash vt.handoff=7
SourcePackage: cups
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 12/01/2011
dmi.bios.vendor: LENOVO
dmi.bios.version: 6IET80WW (1.40 )
dmi.board.name: 2516CTO
dmi.board.vendor: LENOVO
dmi.board.version: Not Available
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Not Available
dmi.modalias: dmi:bvnLENOVO:bvr6IET80WW(1.40):bd12/01/2011:svnLENOVO:pn2516CTO:pvrThinkPadT410:rvnLENOVO:rn2516CTO:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
dmi.product.name: 2516CTO
dmi.product.version: ThinkPad T410
dmi.sys.vendor: LENOVO

Revision history for this message
Simon Déziel (sdeziel) wrote :
Martin Pitt (pitti)
Changed in cups (Ubuntu):
assignee: nobody → Martin Pitt (pitti)
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cups - 1.5.0-16

---------------
cups (1.5.0-16) unstable; urgency=low

  [ Till Kamppeter ]
  * debian/filters/, debian/local/backends/, debian/local/filters/,
    debian/local/cpdftocps.convs, debian/local/oopstops.convs,
    debian/local/oopstops.types, debian/local/postscript.ppd,
    debian/local/pstopdf.convs, debian/local/pstopdf.types,
    debian/local/text.convs, debian/local/textonly.ppd, debian/cups.install,
    debian/cups-common.links, debian/cups.links, debian/rules: Removed all
    add-on filters and backends which now get hosted by OpenPrinting in the
    OpenPrinting CUPS filters package (Debian package "cups-filters"). Also
    removed some obsolete or redundant filters/backends/PPDs: mailto, oopstops,
    dvipipetops, samba-to-ps, postscript.ppd, pdf.ppd.
  * debian/rules: Removed filters, backends, and MIME conversion rules from
    upstream CUPS which have now moved to the cups-filters package.
  * debian/rules: Do not apply the PDF filters add-on package any more as
    the filters are supplied by cups-filters now. Call aclocal and
    autoconf explicitly, as the add-on package does not call them for us
    any more.
  * debian/control: Let the cups binary package depend on cups-filters, so
    that the moved filters and backends stay available.
  * debian/control: Do not build-depend on liblcms1-dev any more. We do not
    have the PDF filters in this package any more.
  * debian/control: Do not depend on ttf-freefont any more.
  * debian/cups.lintian-overrides: Removed entries for serial and parallel
    backends.
  * debian/cups.postinst, debian/cups.prerm, debian/cups.templates,
    Updated debconf for the removal of the parallel and serial backends.
  * debian/patches/ubuntu/poppler-0.18.patch: Removed, as the CUPS package
    does not contain the PDF filters any more.

  [ Martin Pitt ]
  * debian/rules: Stop setting LC_MESSAGES, this was fixed upstream in the
    test suite a while ago.
  * Drop debian/dirs: Unnecessary.
  * Drop debian/suid: Not used anywhere, and the time when cups shipped suid
    backends is long gone.
  * Drop debian/docs: Redundant with debian/cups.docs.
  * Drop debian/patches/pdftops-testsuite.patch: Not applied, and fixed
    upstream.
  * manpage-translations.patch: Update German translations, thanks Helge
    Kreutzmann. (Closes: #630217)
  * Add Polish debconf translations, thanks Michał Kułach. (Closes: #657670)
  * debian/local/apparmor-profile: Allow cups-pdf to read /var/spool/cups.
    (LP: #923538)
 -- Martin Pitt <email address hidden> Mon, 30 Jan 2012 08:35:28 +0100

Changed in cups (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Simon Déziel (sdeziel) wrote :

Wow, that was fast, thanks Martin! I'll be glad to test when the package will be available in Ubuntu.

summary: - apparmor prevents cups-pdf from writing to /var/spool/cups/
+ apparmor prevents cups-pdf from reading to /var/spool/cups/
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.