cups 1.4.7-1 fails to start with new apparmor profile (/var/run -> /run)

Bug #810687 reported by Jason Conti
44
This bug affects 9 people
Affects Status Importance Assigned to Milestone
cups (Ubuntu)
Fix Released
High
Jamie Strandboge

Bug Description

Upgraded oneiric today and the upgrade froze after:

Setting up apport-gtk (1.21.2-0ubuntu3) ...
Setting up cups-common (1.4.7-1) ...
Setting up cups-client (1.4.7-1) ...
Setting up cups-bsd (1.4.7-1) ...
Setting up cups-ppdc (1.4.7-1) ...
Setting up cups (1.4.7-1) ...
Installing new version of config file /etc/init/cups.conf ...
Installing new version of config file /etc/apparmor.d/usr.sbin.cupsd ...

And /var/log/kern.log kept repeating:

Jul 14 14:42:22 jconti-testing kernel: [ 2937.706695] type=1400 audit(1310668942.977:1049): apparmor="STATUS" operation="profile_replace" name="/usr/lib/cups/backend/cups-pdf" pid=17728 comm="apparmor_parser"
Jul 14 14:42:22 jconti-testing kernel: [ 2937.707902] type=1400 audit(1310668942.977:1050): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/cupsd" pid=17728 comm="apparmor_parser"
Jul 14 14:42:23 jconti-testing kernel: [ 2937.725707] type=1400 audit(1310668942.997:1051): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/cupsd" name="/var/run/cups/cups.sock" pid=17729 comm="cupsd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Jul 14 14:42:23 jconti-testing kernel: [ 2937.725951] type=1400 audit(1310668942.997:1052): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/cupsd" name="/var/run/cups/cupsd.pid" pid=17729 comm="cupsd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Jul 14 14:42:23 jconti-testing kernel: [ 2937.726637] init: cups main process (17729) terminated with status 1
Jul 14 14:42:23 jconti-testing kernel: [ 2937.726684] init: cups main process ended, respawning

The upgrade completed successfully once I stopped the cups service. This seems to be because /etc/apparmor.d/usr.sbin.cupsd was updated to only allow access to /run, but it seems cupsd still wants to write to /var/run (which is now just a bind mount of /run).

I managed to get the service started by adding the following lines to /etc/apparmor.d/local/usr.sbin.cupsd:

/var/run/cups/ rw,
/var/run/cups/** rw,

Related branches

Changed in cups (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → High
milestone: none → oneiric-alpha-3
status: New → Triaged
Changed in cups (Ubuntu):
status: Triaged → In Progress
Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

I have the same problem, had to do

sudo aa-complain cupsd

and then get in /var/log/syslog

Jul 14 21:54:59 localhost6 kernel: [110707.127146] type=1400 audit(1310673299.63
6:392): apparmor="ALLOWED" operation="chown" parent=1 profile="/usr/sbin/cupsd"
name="/var/run/cups/certs/0" pid=27266 comm="cupsd" requested_mask="w" denied_ma
sk="w" fsuid=0 ouid=0

When abolishing /var/run/ in favor of /run/, CUPS itself needs to get built appropriately.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cups - 1.4.7-1ubuntu1

---------------
cups (1.4.7-1ubuntu1) oneiric; urgency=low

  * debian/local/apparmor-profile: we need to allow both /var/run and /run
    for upgrades (LP: #810687)
 -- Jamie Strandboge <email address hidden> Thu, 14 Jul 2011 14:48:31 -0500

Changed in cups (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

Thanks Jamie, committed to Debian bzr, too.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.