Digging journalctl: lot of Apparmor "DENIED"
sept. 24 14:17:15 ub64 audit[1007]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=1007 comm="cupsd" capability=12 capname="net_admin" sept. 24 14:17:16 ub64 audit[1182]: AVC apparmor="DENIED" operation="connect" profile="/usr/sbin/cups-browsed" name="/run/systemd/resolve/io.systemd.Resolve" pid=1182 comm="cups-browsed" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=101 sept. 24 14:17:16 ub64 audit[1182]: AVC apparmor="DENIED" operation="connect" profile="/usr/sbin/cups-browsed" name="/run/systemd/resolve/io.systemd.Resolve" pid=1182 comm="cups-browsed" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=101 sept. 24 14:19:41 ub64 audit[4318]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=4318 comm="snap-confine" capability=12 capname="net_admin" sept. 24 14:19:41 ub64 audit[4318]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=4318 comm="snap-confine" capability=38 capname="perfmon" sept. 24 14:19:41 ub64 kernel: audit: type=1400 audit(1664021981.797:49): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=4318 comm="snap-confine" capability=12 capname="net_admin" sept. 24 14:19:41 ub64 kernel: audit: type=1400 audit(1664021981.797:50): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=4318 comm="snap-confine" capability=38 capname="perfmon" sept. 24 14:19:41 ub64 audit[4318]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=4318 comm="snap-confine" capability=4 capname="fsetid" sept. 24 14:19:41 ub64 kernel: audit: type=1400 audit(1664021981.825:51): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=4318 comm="snap-confine" capability=4 capname="fsetid" sept. 24 14:19:42 ub64 audit[4337]: AVC apparmor="DENIED" operation="mkdir" profile="snap-update-ns.firefox" name="/usr/share/cups/doc-root/" pid=4337 comm="5" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 sept. 24 14:19:42 ub64 kernel: audit: type=1400 audit(1664021982.073:52): apparmor="DENIED" operation="mkdir" profile="snap-update-ns.firefox" name="/usr/share/cups/doc-root/" pid=4337 comm="5" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 sept. 24 14:19:42 ub64 kernel: audit: type=1400 audit(1664021982.077:53): apparmor="DENIED" operation="mkdir" profile="snap-update-ns.firefox" name="/usr/share/gimp/2.0/" pid=4337 comm="5" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 sept. 24 14:19:42 ub64 kernel: audit: type=1400 audit(1664021982.077:54): apparmor="DENIED" operation="mkdir" profile="snap-update-ns.firefox" name="/usr/share/libreoffice/help/" pid=4337 comm="5" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 sept. 24 14:19:42 ub64 kernel: audit: type=1400 audit(1664021982.077:55): apparmor="DENIED" operation="open" profile="snap-update-ns.firefox" name="/var/lib/" pid=4337 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 sept. 24 14:19:42 ub64 audit[4337]: AVC apparmor="DENIED" operation="mkdir" profile="snap-update-ns.firefox" name="/usr/share/gimp/2.0/" pid=4337 comm="5" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 sept. 24 14:19:42 ub64 audit[4337]: AVC apparmor="DENIED" operation="mkdir" profile="snap-update-ns.firefox" name="/usr/share/libreoffice/help/" pid=4337 comm="5" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 sept. 24 14:19:42 ub64 audit[4337]: AVC apparmor="DENIED" operation="open" profile="snap-update-ns.firefox" name="/var/lib/" pid=4337 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Looks like the latest cups version has to be blame , due to:
cups (2.4.2-1ubuntu2) kinetic; urgency=medium
* Add patch to build with snapd-glib-2
-- Jeremy Bicha <email address hidden> Thu, 25 Aug 2022 21:54:33 -0400
Digging journalctl: lot of Apparmor "DENIED"
sept. 24 14:17:15 ub64 audit[1007]: AVC apparmor="DENIED" operation="capable" profile= "/usr/sbin/ cupsd" pid=1007 comm="cupsd" capability=12 capname="net_admin" "/usr/sbin/ cups-browsed" name="/ run/systemd/ resolve/ io.systemd. Resolve" pid=1182 comm="cups-browsed" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=101 "/usr/sbin/ cups-browsed" name="/ run/systemd/ resolve/ io.systemd. Resolve" pid=1182 comm="cups-browsed" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=101 "/usr/lib/ snapd/snap- confine" pid=4318 comm="snap-confine" capability=12 capname="net_admin" "/usr/lib/ snapd/snap- confine" pid=4318 comm="snap-confine" capability=38 capname="perfmon" 1.797:49) : apparmor="DENIED" operation="capable" profile= "/usr/lib/ snapd/snap- confine" pid=4318 comm="snap-confine" capability=12 capname="net_admin" 1.797:50) : apparmor="DENIED" operation="capable" profile= "/usr/lib/ snapd/snap- confine" pid=4318 comm="snap-confine" capability=38 capname="perfmon" "/usr/lib/ snapd/snap- confine" pid=4318 comm="snap-confine" capability=4 capname="fsetid" 1.825:51) : apparmor="DENIED" operation="capable" profile= "/usr/lib/ snapd/snap- confine" pid=4318 comm="snap-confine" capability=4 capname="fsetid" "snap-update- ns.firefox" name="/ usr/share/ cups/doc- root/" pid=4337 comm="5" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 2.073:52) : apparmor="DENIED" operation="mkdir" profile= "snap-update- ns.firefox" name="/ usr/share/ cups/doc- root/" pid=4337 comm="5" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 2.077:53) : apparmor="DENIED" operation="mkdir" profile= "snap-update- ns.firefox" name="/ usr/share/ gimp/2. 0/" pid=4337 comm="5" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 2.077:54) : apparmor="DENIED" operation="mkdir" profile= "snap-update- ns.firefox" name="/ usr/share/ libreoffice/ help/" pid=4337 comm="5" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 2.077:55) : apparmor="DENIED" operation="open" profile= "snap-update- ns.firefox" name="/var/lib/" pid=4337 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 "snap-update- ns.firefox" name="/ usr/share/ gimp/2. 0/" pid=4337 comm="5" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 "snap-update- ns.firefox" name="/ usr/share/ libreoffice/ help/" pid=4337 comm="5" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 "snap-update- ns.firefox" name="/var/lib/" pid=4337 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
sept. 24 14:17:16 ub64 audit[1182]: AVC apparmor="DENIED" operation="connect" profile=
sept. 24 14:17:16 ub64 audit[1182]: AVC apparmor="DENIED" operation="connect" profile=
sept. 24 14:19:41 ub64 audit[4318]: AVC apparmor="DENIED" operation="capable" profile=
sept. 24 14:19:41 ub64 audit[4318]: AVC apparmor="DENIED" operation="capable" profile=
sept. 24 14:19:41 ub64 kernel: audit: type=1400 audit(166402198
sept. 24 14:19:41 ub64 kernel: audit: type=1400 audit(166402198
sept. 24 14:19:41 ub64 audit[4318]: AVC apparmor="DENIED" operation="capable" profile=
sept. 24 14:19:41 ub64 kernel: audit: type=1400 audit(166402198
sept. 24 14:19:42 ub64 audit[4337]: AVC apparmor="DENIED" operation="mkdir" profile=
sept. 24 14:19:42 ub64 kernel: audit: type=1400 audit(166402198
sept. 24 14:19:42 ub64 kernel: audit: type=1400 audit(166402198
sept. 24 14:19:42 ub64 kernel: audit: type=1400 audit(166402198
sept. 24 14:19:42 ub64 kernel: audit: type=1400 audit(166402198
sept. 24 14:19:42 ub64 audit[4337]: AVC apparmor="DENIED" operation="mkdir" profile=
sept. 24 14:19:42 ub64 audit[4337]: AVC apparmor="DENIED" operation="mkdir" profile=
sept. 24 14:19:42 ub64 audit[4337]: AVC apparmor="DENIED" operation="open" profile=
Looks like the latest cups version has to be blame , due to:
cups (2.4.2-1ubuntu2) kinetic; urgency=medium
* Add patch to build with snapd-glib-2
-- Jeremy Bicha <email address hidden> Thu, 25 Aug 2022 21:54:33 -0400