Printing denied since upgrade

Bug #1251973 reported by EricDHH on 2013-11-17
26
This bug affects 5 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Unassigned
cups (Ubuntu)
Undecided
Unassigned

Bug Description

Ubuntu 13.10 amd64, Patchlevel today
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=13.10
DISTRIB_CODENAME=saucy
DISTRIB_DESCRIPTION="Ubuntu 13.10"

Since upgrade from 13.04 to 13.10 this system can't print anything. By searching i found this in dmesg

[ 3098.185896] type=1400 audit(1384676379.061:70): apparmor="DENIED" operation="open" parent=2878 profile="/usr/sbin/cupsd" name="/home/.ecryptfs/eric/.ecryptfs/wrapped-passphrase" pid=3347 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

It does not matter what and which driver in cups is used, the printing is denied and no printout file appears. No spoolfile for the driver appears, but a new DENIED comes up. From the cups side everything is fine, but is is blocked from apparmor in some way.

localhost - - [17/Nov/2013:09:43:55 +0100] "POST /printers/HL4150CDN HTTP/1.1" 200 871814 Print-Job successful-ok
localhost - - [17/Nov/2013:09:45:31 +0100] "POST /printers/PDF HTTP/1.1" 200 871685 Print-Job successful-ok

ProblemType: Bug
DistroRelease: Ubuntu 13.10
Package: apparmor 2.8.0-0ubuntu31
ProcVersionSignature: Ubuntu 3.11.0-13.20-generic 3.11.6
Uname: Linux 3.11.0-13-generic x86_64
ApportVersion: 2.12.5-0ubuntu2.1
Architecture: amd64
Date: Sun Nov 17 09:35:42 2013
EcryptfsInUse: Yes
InstallationDate: Installed on 2013-05-18 (182 days ago)
InstallationMedia: Xubuntu 13.04 "Raring Ringtail" - Release amd64 (20130423.1)
MarkForUpload: True
ProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-3.11.0-13-generic root=UUID=0bfe05f6-2c8a-45f9-ac88-5f432f139de8 ro rootflags=subvol=@ quiet splash elevator=deadline vt.handoff=7
SourcePackage: apparmor
Syslog:

UpgradeStatus: Upgraded to saucy on 2013-10-18 (29 days ago)

EricDHH (ericdhh) wrote :
John Johansen (jjohansen) wrote :

Hi EricDHH

a temporary fix to this issue is to add line

  /home/.ecryptfs/eric/.ecryptfs/wrapped-passphrase r,

to the file /etc/apparmor.d/local/usr.sbin.cupsd

and then reload the profiles with
  sudo /etc/init.d/apparmor restart

Seth Arnold (seth-arnold) wrote :

Is it a good idea for CUPS to have access to your wrapped passphrase? I'm curious what's going on here...

John Johansen (jjohansen) wrote :

oh hrmmm, now that you mention it. No cups should not need to see that file at all, and no it is not a good idea to have cupsd looking at the wrapped pass phrase.

My above comment still stands, it will make the reject go away, but unless you are desperate, and will to risk leaking your encryption pass phrase, I would not use it.

Tyler Hicks (tyhicks) wrote :

There's no reason for cupsd to try to read that file. I'm very surprised that the denial is specific to that single file.

I have no idea why cups would be doing that. Can you examine the cups logs and see if there is anything relevant in there?

EricDHH (ericdhh) wrote :

Okay have purged the printer and repeated the driver install based on this informations

http://wiki.ubuntuusers.de/Brother/Drucker

Everything stops at
eric@nereus:~/Ubuntu One/Special-DEBs$ sudo ln -s /usr/lib/cups/filter/brlpdwrapper* /usr/lib64/cups/filter/
ln: das angegebene Ziel »/usr/lib64/cups/filter/“ ist kein Verzeichnis: Datei oder Verzeichnis nicht gefunden

After entering a appsocket 9100 cups turns to a neverending search for the printer driver, there is a bug in the compatibility or a change in cups that destroy the wiki information. There are also these lines in dmesg, when trying to install a printer with the fix from #2.
[ 1330.139369] type=1400 audit(1384932874.955:57): apparmor="STATUS" operation="profile_replace" parent=3595 profile="unconfined" name="/usr/sbin/cupsd" pid=3600 comm="apparmor_parser"

cups/error.log
E [20/Nov/2013:08:34:34 +0100] Unable to bind socket for address [v1.::1]:631 - Address already in use.
E [20/Nov/2013:08:34:34 +0100] Unable to bind socket for address 127.0.0.1:631 - Address already in use.
W [20/Nov/2013:08:35:07 +0100] CreateProfile failed: org.freedesktop.ColorManager.AlreadyExists:profile id 'HL4150CDN-Gray..' already exists
W [20/Nov/2013:08:35:07 +0100] CreateProfile failed: org.freedesktop.ColorManager.AlreadyExists:profile id 'HL4150CDN-RGB..' already exists

Reason for cups to read the passphrase for encryption, maybe NSA because cups already is used on apple and android and this is a smart backdoor.

John Johansen (jjohansen) wrote :

Hrmmm, this
  E [20/Nov/2013:08:34:34 +0100] Unable to bind socket for address [v1.::1]:631 - Address already in use.
  E [20/Nov/2013:08:34:34 +0100] Unable to bind socket for address 127.0.0.1:631 - Address already in use.
makes me think that even though you purged the printer the socket for some reason has not been freed and is still in use. Can you purge the driver, reboot (its the easiest way to make sure you cleanup tasks that may be using the socket) and try installing again.

The message
  [ 1330.139369] type=1400 audit(1384932874.955:57): apparmor="STATUS" operation="profile_replace" parent=3595 profile="unconfined" name="/usr/sbin/cupsd" pid=3600 comm="apparmor_parser"

just means that a process that is unconfined replaced the old cupsd profile with a new one. This is expected as the instructions I provided told you to use restart which reloads/replaces profiles.

EricDHH (ericdhh) wrote :

Okay did the following

- delete the printer
- purge both brother hl4150* packages from the system
- full reboot
- install both brother packages again, this triggers a cupsd restart

get this in dmesg

[ 103.140338] init: cups main process ended, respawning
[ 103.166525] audit_printk_skb: 102 callbacks suppressed
[ 103.166531] type=1400 audit(1385021818.631:46): apparmor="STATUS" operation="profile_replace" parent=2290 profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=2295 comm="apparmor_parser"
[ 103.166544] type=1400 audit(1385021818.631:47): apparmor="STATUS" operation="profile_replace" parent=2290 profile="unconfined" name="/usr/sbin/cupsd" pid=2295 comm="apparmor_parser"
[ 103.167248] type=1400 audit(1385021818.631:48): apparmor="DENIED" operation="setrlimit" parent=2289 profile="/usr/sbin/cupsd" pid=2294 comm="cupsd" rlimit=nofile value=4096
[ 103.167527] type=1400 audit(1385021818.631:49): apparmor="STATUS" operation="profile_replace" parent=2290 profile="unconfined" name="/usr/sbin/cupsd" pid=2295 comm="apparmor_parser"
[ 140.771338] parport0: lp tried to release parport when not owner

This is from cups error.log
eric@nereus:~/Ubuntu One/Special-DEBs$ cat /var/log/cups/error_log
W [21/Nov/2013:09:13:04 +0100] CreateProfile failed: org.freedesktop.ColorManager.AlreadyExists:profile id 'PDF-Gray..' already exists
W [21/Nov/2013:09:13:04 +0100] CreateProfile failed: org.freedesktop.ColorManager.AlreadyExists:profile id 'PDF-RGB..' already exists
E [21/Nov/2013:09:13:04 +0100] Unable to bind socket for address [v1.::1]:631 - Address already in use.
E [21/Nov/2013:09:13:04 +0100] Unable to bind socket for address 127.0.0.1:631 - Address already in use.
E [21/Nov/2013:09:14:52 +0100] Unable to remove /var/run/cups/certs/0!
W [21/Nov/2013:09:16:58 +0100] CreateProfile failed: org.freedesktop.ColorManager.AlreadyExists:profile id 'PDF-Gray..' already exists
W [21/Nov/2013:09:16:58 +0100] CreateProfile failed: org.freedesktop.ColorManager.AlreadyExists:profile id 'PDF-RGB..' already exists
W [21/Nov/2013:09:16:58 +0100] CreateDevice failed: org.freedesktop.ColorManager.AlreadyExists:device id 'cups-PDF' already exists
E [21/Nov/2013:09:16:58 +0100] Unable to bind socket for address [v1.::1]:631 - Address already in use.
E [21/Nov/2013:09:16:58 +0100] Unable to bind socket for address 127.0.0.1:631 - Address already in use.

Looks like an incompatibility between the 13.10 cups and the brother hl4150* packages.

John Johansen (jjohansen) wrote :

This entry
[ 103.167248] type=1400 audit(1385021818.631:48): apparmor="DENIED" operation="setrlimit" parent=2289 profile="/usr/sbin/cupsd" pid=2294 comm="cupsd" rlimit=nofile value=4096

is interesting, and may be part of the problem. Can you please attach the output of
apparmor_parser -p /etc/apparmor.d/usr.sbin.cupsd

also you can try testing with the cups profile disabled, to temporarily disable it you can do
  sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.cupsd
or to permanently disable
  sudo aa-disable /etc/apparmor.d/usr.sbin.cupsd
  sudo /etc/init.d/apparmor restart

after which you should restart cupsd
  sudo restart cups

Seth Arnold (seth-arnold) wrote :

I'm also curious about what might already be bound to port 631 on ipv4 and ipv6 localhost addresses. Would you mind including the output of "sudo netstat -lntp | grep :631" ? Thanks

EricDHH (ericdhh) wrote :

Next round, lets see....

eric@nereus:~$ sudo aa-disable /etc/apparmor.d/usr.sbin.cupsd
sudo: aa-disable: Befehl nicht gefunden

Okay this wont work, try the simple version

sudo restart cups
cups start/running, process 2879

Cant add a new printer and cant print a testpage with the pdf-printer, got this

[ 1160.695598] type=1400 audit(1385105454.057:58): apparmor="DENIED" operation="open" parent=2879 profile="/usr/lib/cups/backend/cups-pdf" name="/home/.ecryptfs/eric/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWbQJi-5FucO7-QrZ4FsT48w8tsZFI1YwR10K3IBUW-xsNjgUYReApm1HU--/ECRYPTFS_FNEK_ENCRYPTED.FWbQJi-5FucO7-QrZ4FsT48w8tsZFI1YwR10HEexx9BZbOErhIlf5w6Aok--" pid=2994 comm="cups-pdf" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=1000

Let's see what sit on the ports
eric@nereus:~$ sudo netstat -lntp | grep :631
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2879/cupsd
tcp6 0 0 ::1:631 :::* LISTEN 2879/cupsd

John Johansen (jjohansen) wrote :

Hrmm drat, aa-disable has some bugs around multiple profiles in a file.

try this instead
  sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.cupsd
  sudo restart cups

EricDHH (ericdhh) wrote :
Download full text (4.4 KiB)

Here is what happens

No errors with the commands

dmesg
[ 340.636785] type=1400 audit(1385191275.947:46): apparmor="STATUS" operation="profile_remove" parent=2327 profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=2328 comm="apparmor_parser"
[ 340.636827] type=1400 audit(1385191275.947:47): apparmor="STATUS" operation="profile_remove" parent=2327 profile="unconfined" name="/usr/sbin/cupsd" pid=2328 comm="apparmor_parser"
[ 349.935390] type=1400 audit(1385191285.243:48): apparmor="STATUS" operation="profile_load" parent=2336 profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=2340 comm="apparmor_parser"
[ 349.935401] type=1400 audit(1385191285.243:49): apparmor="STATUS" operation="profile_load" parent=2336 profile="unconfined" name="/usr/sbin/cupsd" pid=2340 comm="apparmor_parser"
[ 349.936307] type=1400 audit(1385191285.247:50): apparmor="STATUS" operation="profile_replace" parent=2336 profile="unconfined" name="/usr/sbin/cupsd" pid=2340 comm="apparmor_parser"

No errors from pdf testprint, file appears in ~/PDF

Installed both brother 4150 packages, this triggers a cups restart, now found this in error.log
W [23/Nov/2013:08:29:31 +0100] CreateProfile failed: org.freedesktop.ColorManager.AlreadyExists:profile id 'PDF-Gray..' already exists
W [23/Nov/2013:08:29:31 +0100] CreateProfile failed: org.freedesktop.ColorManager.AlreadyExists:profile id 'PDF-RGB..' already exists
E [23/Nov/2013:08:29:31 +0100] Unable to bind socket for address [v1.::1]:631 - Address already in use.
E [23/Nov/2013:08:29:31 +0100] Unable to bind socket for address 127.0.0.1:631 - Address already in use.
W [23/Nov/2013:08:29:31 +0100] CreateProfile failed: org.freedesktop.ColorManager.AlreadyExists:profile id 'PDF-Gray..' already exists
W [23/Nov/2013:08:29:31 +0100] CreateProfile failed: org.freedesktop.ColorManager.AlreadyExists:profile id 'PDF-RGB..' already exists
E [23/Nov/2013:08:29:31 +0100] Unable to bind socket for address [v1.::1]:631 - Address already in use.
E [23/Nov/2013:08:29:31 +0100] Unable to bind socket for address 127.0.0.1:631 - Address already in use.
W [23/Nov/2013:08:29:31 +0100] CreateProfile failed: org.freedesktop.ColorManager.AlreadyExists:profile id 'PDF-Gray..' already exists
W [23/Nov/2013:08:29:31 +0100] CreateProfile failed: org.freedesktop.ColorManager.AlreadyExists:profile id 'PDF-RGB..' already exists
E [23/Nov/2013:08:29:31 +0100] Unable to bind socket for address [v1.::1]:631 - Address already in use.
E [23/Nov/2013:08:29:31 +0100] Unable to bind socket for address 127.0.0.1:631 - Address already in use.

But its impossible to install the printer driver, it hangs in a loop to find the (installed) driver and dmesg tells

[ 655.781020] type=1400 audit(1385191591.093:52): apparmor="DENIED" operation="open" parent=2341 profile="/usr/lib/cups/backend/cups-pdf" name="/home/.ecryptfs/eric/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWbQJi-5FucO7-QrZ4FsT48w8tsZFI1YwR10K3IBUW-xsNjgUYReApm1HU--/ECRYPTFS_FNEK_ENCRYPTED.FWbQJi-5FucO7-QrZ4FsT48w8tsZFI1YwR10HEexx9BZbOErhIlf5w6Aok--" pid=2448 comm="cups-pdf" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=1000
[ 835.776798] init: cups main process ended, respawning
[ 835.8092...

Read more...

John Johansen (jjohansen) wrote :

I can certainly understand this being a show stopper and needing to stop fiddling with it.

There are a few more things you can try before going through all the work of reverting or switching your system. First restarting cups is loading the apparmor profile (sorry I was unaware it was doing this) so just removing it won't work. We need to disable it.

I don't know why
  sudo aa-disable /etc/apparmor.d/usr.sbin.cupsd

isn't working for you. I would try it again. If it fails you can manually make a symlink that should disable the profile, and then manually remove it
  sudo ln -s /etc/apparmor.d/usr.sbin.cupsd /etc/apparmor.d/disable/usr.sbin.cupsd
  sudo apparmor_parser -R /etc/apparmor.d/usr.bin.cupsd

you can verify the profile is removed using
  sudo aa-status | grep cups
which should output nothing

now try restarting cups
  sudo restart cups

and check the tail of /var/log/syslog for new denials
  grep DENIED /var/log/syslog

the reason to look in /var/log/syslog instead of dmesg is DBus denial don't currently go to dmesg, so /var/log/syslog is the only place all apparmor denial messages show up.

If you still can't install your driver, and are getting apparmor DENIED messages you can do either of the following to disable apparmor completely.
  sudo apt-get remove apparmor
or
  edit /etc/defaults/grub and add apparmor=0 to the kernel command line then run
    sudo update-grub
   and reboot

If you still can't install the driver then it is indeed a cups regression and the apparmor messages have been a red herring. Best of luck on what ever route you choose, and I am sorry that this bug is causing you such problems.

EricDHH (ericdhh) wrote :

eric@nereus:~$ sudo aa-disable /etc/apparmor.d/usr.sbin.cupsd
[sudo] password for eric:
sudo: aa-disable: Befehl nicht gefunden

This command is not installed, don't know from which package it should come

eric@nereus:~$ aa-
aa-exec aa-status

So i try to disable apparmor for cups.

eric@nereus:~$ sudo ln -s /etc/apparmor.d/usr.sbin.cupsd /etc/apparmor.d/disable/usr.sbin.cupsd
eric@nereus:~$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.cupsd
Fehler: Profil /etc/apparmor.d/usr.bin.cupsd konnte nicht gelesen werden: Datei oder Verzeichnis nicht gefunden.

Incredible, it's there and it's not, mabye permission problems?

eric@nereus:~$ ls -la /etc/apparmor.d/
-rw-r--r-- 1 root root 4459 Sep 27 13:34 usr.sbin.cupsd

This looks okay
eric@nereus:~$ sudo restart cups
cups start/running, process 3097
eric@nereus:~$ grep DENIED /var/log/syslog

A complete removal of apparmor seems not to be o good idea, it offers basic security functions that look useful. It seems that the cups api was something silently changed after 13.04, so the brother packages are icompatible now. As there are no free drivers and ubuntu help points to the brother packages, this is a mess. There are many printers supported only by the brother packages. This gives me a good understanding, why mint tells to not update if everything is fine. It will rollback this machine today to get in functional again.

Thanks
Eric

eric@nereus:~$ sudo aa-status | grep cups
   /usr/lib/cups/backend/cups-pdf
   /usr/sbin/cupsd
   /usr/sbin/cupsd (2789)

John Johansen (jjohansen) wrote :

aa-status is part of the apparmor package
aa-disabled is part of the apparmor-utils package

the package split is done to reduce the install foot print to a minimum for base installs, iso images etc.

The failure of the apparmor_parser -R is odd, perhaps the profile had been already removed by a previous action? Profiles exist in two places on the system, their text representation stored in the filesystem in userspace and their binary representation in that is loaded into the kernel, either during boot or package install, etc.

You can find out your loaded set of profiles via the aa-status command (root privs required), or by directly poking the lower level interface. Either using a simplied file based view
  cat /sys/kernel/security/apparmor/profiles

or a slightly more detail directory based view
  ls /sys/kernel/security/apparmor/policy/profiles/

Generally I would agree that you shouldn't disable apparmor, however I am a pragmatist and believe security is useless if it prevents you from doing the work you need to get done.

I am going to add a task for cups and see if the those more familiar with cups have any ideas.

best of luck on your roll back.

EricDHH, can you follow the instructions of the section "CUPS error_log" on https://wiki.ubuntu.com/DebuggingPrintingProblems and then try again. This gives much more information in the CUPS error_log.

Changed in cups (Ubuntu):
status: New → Incomplete
Changed in apparmor (Ubuntu):
status: New → Incomplete

pitti, do you have any idea what is happening here?

EricDHH (ericdhh) wrote :

Did 3 rollbacks here, all computers are on mint olivia 15 now, (ubuntu 13.04). On all computers i followed this instructions

http://wiki.ubuntuusers.de/Brother/Drucker

Everything runs fine, as it is possible to delete the printer and insert it as appsocket with driver search again. Maybe there is an API bug between cups and the brother packages or apparmor was changed, but in 13.04 it works perfect. There is no denied from apparmor in syslog.

Sorry that i cannot support by this bug anymore, i hope there are more brother users in the field.

Seth Arnold (seth-arnold) wrote :

John, the apparmor_parser -R error is down to a simple typo:

> eric@nereus:~$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.cupsd
> Fehler: Profil /etc/apparmor.d/usr.bin.cupsd konnte nicht gelesen werden: Datei oder Verzeichnis nicht gefunden.
>
> Incredible, it's there and it's not, mabye permission problems?
>
> eric@nereus:~$ ls -la /etc/apparmor.d/
> -rw-r--r-- 1 root root 4459 Sep 27 13:34 usr.sbin.cupsd

Note 'bin' vs 'sbin'.

Launchpad Janitor (janitor) wrote :

[Expired for apparmor (Ubuntu) because there has been no activity for 60 days.]

Changed in apparmor (Ubuntu):
status: Incomplete → Expired
Launchpad Janitor (janitor) wrote :

[Expired for cups (Ubuntu) because there has been no activity for 60 days.]

Changed in cups (Ubuntu):
status: Incomplete → Expired
bzipitidoo (bzipitidoo) wrote :
Download full text (13.9 KiB)

Ran into this problem today while trying to print to my networked printer, an HP Officejet Pro 8500. The system is up to date, has Firefox 27. Tried printing twice, using this hp-doctor command and a reboot in between attempts, and now have 2 jobs stalled in the queue. Here's what I see.

/var/log/syslog:

Feb 11 11:32:36 diamond anacron[1147]: Job `cron.daily' started
Feb 11 11:32:36 diamond anacron[2135]: Updated timestamp for job `cron.daily' to
 2014-02-11
Feb 11 11:34:19 diamond whoopsie[1331]: online
Feb 11 11:35:20 whoopsie[1331]: last message repeated 2 times
Feb 11 11:52:48 diamond kernel: [ 1530.398251] audit_printk_skb: 84 callbacks su
ppressed
Feb 11 11:52:48 diamond kernel: [ 1530.398256] type=1400 audit(1392141168.213:47): apparmor="STATUS" operation="profile_replace" parent=2448 profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=2452 comm="apparmor_parser"
Feb 11 11:52:48 diamond kernel: [ 1530.398265] type=1400 audit(1392141168.213:48): apparmor="STATUS" operation="profile_replace" parent=2448 profile="unconfined" name="/usr/sbin/cupsd" pid=2452 comm="apparmor_parser"
Feb 11 11:52:48 diamond kernel: [ 1530.399037] type=1400 audit(1392141168.213:49): apparmor="STATUS" operation="profile_replace" parent=2448 profile="unconfined" name="/usr/sbin/cupsd" pid=2452 comm="apparmor_parser"
Feb 11 11:53:32 diamond anacron[1147]: Job `cron.daily' terminated (exit status: 1) (mailing output)
Feb 11 11:53:32 diamond anacron[1147]: Can't find sendmail at /usr/sbin/sendmail, not mailing output
Feb 11 11:53:32 diamond anacron[1147]: Job `cron.weekly' started
Feb 11 11:53:32 diamond anacron[2569]: Updated timestamp for job `cron.weekly' to 2014-02-11
Feb 11 11:53:34 diamond anacron[1147]: Job `cron.weekly' terminated
Feb 11 11:53:34 diamond anacron[1147]: Normal exit (2 jobs run)
Feb 11 12:17:01 diamond CRON[2719]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Feb 11 12:37:47 diamond dbus[850]: [system] Activating service name='org.debian.apt' (using servicehelper)
Feb 11 12:37:48 diamond AptDaemon: INFO: Initializing daemon
Feb 11 12:37:48 diamond dbus[850]: [system] Successfully activated service 'org.debian.apt'
...
Feb 11 15:17:01 diamond CRON[3943]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Feb 11 16:05:10 diamond hpcups[4070]: prnt/hpcups/HPCupsFilter.cpp 548: cupsRasterOpen failed, fd = 0
Feb 11 16:05:10 diamond hp[4071]: prnt/backend/hp.c 839: ERROR: null print job total=0
Feb 11 16:07:40 diamond kernel: [16807.115475] type=1400 audit(1392156460.167:50): apparmor="DENIED" operation="file_lock" parent=1 profile="/usr/sbin/cupsd" name="/run/utmp" pid=2453 comm="cupsd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
Feb 11 16:07:51 diamond kernel: [16818.582020] type=1400 audit(1392156471.643:51): apparmor="DENIED" operation="file_lock" parent=1 profile="/usr/sbin/cupsd" name="/run/utmp" pid=2453 comm="cupsd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
Feb 11 16:07:58 diamond kernel: [16825.315696] type=1400 audit(1392156478.383:52): apparmor="DENIED" operation="file_lock" parent=1 profile="/usr/sbin/cupsd" name="/run/utmp" pid=2453 comm="cupsd" requested_mask="k" denied_mask="k" fs...

John Johansen (jjohansen) wrote :

bzipitdoo,

Sorry for the delayed response.

I would not say this is the same problem, though it is similar. The cupsd profile is not granting permission to lock /run/utmp which is being asked for (I'm not sure why).

You can try fixing this by adding the line
  /run/utmp k,

to the cupsd profile inside of the /etc/apparmor.d/usr.sbin.cupd file (I would do it after the include, capability and network rules, so that it is with the other file rules).

and then reload the profile OR restart apparmor (either will work, restart is more generic and will reload all profiles)

  sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.cupsd
or
  /etc/init.d/apparmor restart

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers