Ubuntu
cups package

Cups needs access to /run/samba/

Bug #812035 reported by Jean-Louis Dupond
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cups (Ubuntu)
Fix Released
Undecided
Martin Pitt

Bug Description

When I added a new printer on a remote SMB share, apparmor complained about access to /run/samba/.

[11150.313060] type=1400 audit(1310939778.409:18): apparmor="DENIED" operation="mkdir" parent=930 profile="/usr/sbin/cupsd" name="/run/samba/" pid=4148 comm="smb" requested_mask="c" denied_mask="c" fsuid=7 ouid=7

Guess we should add this to the apparmor rules file.

Oh and I have cups 1.4.7-1ubuntu1 on Oneiric

See original description
Tags: apparmor
Micah Gersten (micahg)
tags: added: apparmor
Jean-Louis Dupond (dupondje)
description: updated
Till Kamppeter (till-kamppeter)
Changed in cups (Ubuntu):
assignee: nobody → Martin Pitt (pitti)
Martin Pitt (pitti)
Changed in cups (Ubuntu):
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cups - 1.4.7-1ubuntu2

---------------
cups (1.4.7-1ubuntu2) oneiric; urgency=low

  Upload current Debian bzr packaging trunk.

  [ Jamie Strandboge ]
  * debian/local/apparmor-profile: we need to allow both /var/run and /run
    for upgrades (LP: #810687)

  [ Martin Pitt ]
  * debian/local/apparmor-profile: Allow cupsd to write /run/samba.
    (LP: #812035)
 -- Jamie Strandboge <email address hidden> Thu, 14 Jul 2011 14:48:31 -0500

Changed in cups (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

Jamie and Jelmer pointed out that this is the wrong thing to do, as the directory is configurable, and writing into it should be none of cups' business. Did the AppArmor denial actually cause the added printer to not work, or did you just happen to see the error message in dmesg?

Changed in cups (Ubuntu):
status: Fix Released → Incomplete
Revision history for this message
Martin Pitt (pitti) wrote :

Used an explicity "deny" now, to avoid the error message. Thanks for confirming!

Changed in cups (Ubuntu):
status: Incomplete → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cups - 1.4.7-1ubuntu3

---------------
cups (1.4.7-1ubuntu3) oneiric; urgency=low

  Upload current Debian packaging bzr head, can't go into Debian yet.

  [ Till Kamppeter ]
  * debian/filters/pstopdf: Added "-dNOINTERPOLATE" to the Ghostscript command
    line, this makes Ghostscript vastly faster.
  * debian/patches/use-ps2write-ghostscript-device-for-pdftops-filter.patch:
    Regenerated the patch, as we actually use it now. The "ps2write" output
    device produces finally DSC-conforming PostScript and so we can use
    Ghostscript for the pdftops filter. Made the patch also adding the
    "-dNOINTERPOLATE" to the Ghostscript command line.
  * debian/patches/series: Reactivated
    use-ps2write-ghostscript-device-for-pdftops-filter.patch and promoted it
    to the patches which should be submitted upstream.
  * debian/rules: Build CUPS with a Ghostscript-based pdftops filter.
  * debian/rules: Do not rename the pdftoraster filter of the PDF filter
    add-on any more as Ghostscript has the unified gstoraster filter now.
    Change the cost factor to make Ghostscript's filter being preferred.
  * debian/control: Let the "cups" package require at least version 9.02
    of Ghostscript, as this version does not ship a filter named pdftoraster
    any more.

  [ Jamie Strandboge ]
  * debian/local/apparmor-profile: we need to allow both /var/run and /run
    for upgrades (LP: #810687)

  [ Martin Pitt ]
  * debian/local/apparmor-profile: Explicitly deny cupsd to write /run/samba,
    to avoid dmesg errors. (LP: #812035)
  * debian/control: Slightly relax ghostscript dependency to also match
    current Debian version.
 -- Martin Pitt <email address hidden> Fri, 22 Jul 2011 06:40:02 +0200

Changed in cups (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.