Apparmor profile violated: cupsd does mknod on /var/cache/samba/gencache.tdb

Is the problem only about having messages in syslog or are you actually not able to print? Do these messages cause any pop-ups on your screen? If you still can print and get no pop-ups it is a minor problem.

The profile is not violated by cupsd, but most probably by the /usr/lib/cups/backend/smb CUPS backend which is a part of Samba. Probably recently it got added a feature using the cache.

What has to be done to fix it is allowing access to /var/cache/samba/gencache.tdb in the AppArmor profile of cupsd.

Printing works as usual, it's just the messages. I get a popup in the top right corner, probably from apparmor-notify which I suspect I installed by hand a long time ago. When I relogin, I seem to get a notification that there have been apparmor violations.

Thank you very much, we will fix the AppArmor profile soon.

pitti, can you tell me which rule needs to get added to the AppArmor profile to fix this?

I'm afraid I can't. I subscribed Jamie and Tyler as our resident AppArmor experts.

> requested_mask="c" denied_mask="c"

I'm afraid I don't know what "c" is, it's not documented in man 5 apparmor.d. Bram seems to suggest it's "mknod", but why would that apply to /var/cache/samba/gencache.tdb? That's certainly a regular file, not a device node. If cups were actually trying to mknod() something there, that'd be a bug.

This bug seems to prevent me from printing.
I saw this message in syslog, too and usr.sbin.cupsd Apparmor profile caused samba authentication errors:

E [15/Jan/2015:12:37:35 +0100] [Job 112] Session setup failed: NT_STATUS_UNSUCCESSFUL
E [15/Jan/2015:12:37:35 +0100] [Job 112] Session setup failed: NT_STATUS_LOGON_FAILURE
E [15/Jan/2015:12:37:35 +0100] [Job 112] Tree connect failed (NT_STATUS_ACCESS_DENIED)

After disabling the cups profile printing worked again.

'c' corresponds to creat(). This requires the 'w' apparmor permission.

Does adding the following to /etc/apparmor.d/local/usr.sbin.cupsd fix the issue:
#include <abstractions/samba>

After making this change please do 'sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.cupsd' (or reboot) and try again.

[Expired for cups (Ubuntu) because there has been no activity for 60 days.]

Adding #include <abstractions/samba> does not fix it.

The bug is still present in 16.04.2

Add this line to /etc/apparmor.d/local/usr.sbin.cupsd:

/var/cache/samba/* w,

Then 'sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.cupsd'

The reason why including abstractions/samba does not work is because in abstractions/samba is the '*' missing.

Hi Till, can you give this another look?

What is cups doing with smb here? Does it make more sense to give write access to this entire directory as Stefan suggests or just to the specific /var/cache/samba/gencache.tdb that was in the original report?

Thanks

Status changed to 'Confirmed' because the bug affects multiple users.

Still present in 17.10. Adding permission from #11 appears to solve it.

Still present in 18.04.

I can confirm as well for 18.04. Still there, and #11 still solves it.