apparmor profile error messages

Bug #139665 reported by Pär Lindfors
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cupsys (Ubuntu)
Martin Pitt

Bug Description

The cupsys apparmor profile is still to restrictive. I am using cupsys 1.3.0-4ubuntu3 on amd64 and get the following errors to dmesg.

This is when trying to print to PDF, which seems to fail:

[110434.217141] audit(1189790585.293:18281): operation="capable" name="dac_override" pid=2357 profile="/usr/lib/cups/backend/cups-pdf"
[110434.217150] audit(1189790585.293:18282): operation="capable" name="dac_read_search" pid=2357 profile="/usr/lib/cups/backend/cups-pdf"
[110434.232496] audit(1189790585.321:18283): operation="inode_permission" requested_mask="r" denied_mask="r" name="/etc/papersize" pid=2362 profile="/usr/lib/cups/backend/cups-pdf"

The following is when printing a single page to my USB printer that I think is using the hpijs backend. No errors in cups logs, and the page printed fine, but still prints apparmor warnings to dmesg.

[110473.515355] audit(1189790675.717:18284): operation="inode_permission" requested_mask="rw" denied_mask="rw" name="/dev/tty" pid=2442 profile="/usr/sbin/cupsd"
[110473.542908] audit(1189790675.773:18285): operation="inode_permission" requested_mask="rw" denied_mask="rw" name="/dev/tty" pid=2445 profile="/usr/sbin/cupsd"

localhost - - [14/Sep/2007:19:24:35 +0200] "POST /printers/skrivare HTTP/1.1" 200 226016 Print-Job successful-ok

skrivare spacewoman 56 [14/Sep/2007:19:24:37 +0200] 1 1 - localhost

Revision history for this message
Mathias Gug (mathiaz) wrote :

I'Ve attached a patch that fixes the profile.

Revision history for this message
Martin Pitt (pitti) wrote :

I fixed the access to /etc/papersize yesterday. cupsd should not get dac_override and dac_read_search, those are too powerful.

Neither there is a reason for cupsd to write to /dev/tty*. I'd rather track down the reason why it tries that in the first place and change the code to not do it.

I committed 'm' access to passwd and group to bzr head. Quite strange, but it doesn't hurt.

Revision history for this message
Daniel Holbach (dholbach) wrote :

Unsubscribing Ubuntu Sponsors for main from this bug for now.

Changed in cupsys:
status: New → Incomplete
Revision history for this message
Pär Lindfors (paran) wrote :

Martin: I am not seeing any more cups audit messages, but on the other hand some of the "too powerful" capabilities seems to have been given to cups now. If I can help debug this further to produce a better solution please let me know.

Revision history for this message
TJ (tj) wrote :

Martin's comment about /dev/tty and cupsd seems related to an issue I've recently experienced and attached a report to bug #147800 "...bluetooth printing was working but is not..."

Disabling appamor provided a work-around in that case but I'd like to sort the issue out with appamor or cupsd.

Changed in cupsys:
assignee: nobody → pitti
importance: Undecided → Medium
Revision history for this message
waldheinz (waldheinz) wrote :

Under 7.10, when apparmor is in enforce mode, a HP 920 cxi printer can not be used. I assume it's the same problem, as this printer needs the pnm2ppa tool to work (it's a GDI - printer). When apparmor is disabled everything works as expected.

Revision history for this message
Robert Di Gioia (digioiar) wrote :

Hi. Since upgrade from fiesty to gutsy, I've been getting apparmor messages when I print. My printer is connected to an XP box, so I'm using samba.

Dec 15 17:20:51 gandalf kernel: [26194.092000] audit(1197757250.417:11): type=1503 operation="file_mmap" requested_mask="mr" denied_mask="m" name="/usr/share/samba/lowcase.dat" pid=7208 profile="/usr/sbin/cupsd"
Dec 15 17:20:51 gandalf kernel: [26194.160000] audit(1197757250.417:12): type=1503 operation="file_mmap" requested_mask="mr" denied_mask="m" name="/usr/share/samba/valid.dat" pid=7208 profile="/usr/sbin/cupsd"

After reading up on apparmor, and reviewing /etc/apparmor.d/usr.sbin.cupsd, and noticing that there is a samba profile in the /etc/apparmor.d/abstractions directory, I tried adding the following line to /etc/apparmor.d/usr.sbin.cupsd, and it no longer generates messages when printing. I added it to the end of the #include section.

#include <abstractions/samba>

My thought is that it may be good to add samba to the apparmor cups profile on a go-forward basis to keep syslog noise down.

Hope that this is of some help.

Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

Robert Di Gioia, this problem with Samba and AppArmor is fixed in both Hardy and gutsy-updates. DFid you update to at least to current gutsy-updates? If not, please do so.

Please report whether you problem gets fixed by the updates.

If not, post the output of

dpkg -p cupsys

Revision history for this message
Martin Pitt (pitti) wrote :


can you please confirm that the current cupsys package in gutsy-updates (version 1.3.2-1ubuntu7.5) fixes the samba issue?

Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

Robert Di Gioia, I am closing this bug as it should be fixed. If you have still problems, please do the updates and answer my questions of my previous posting and reopen the bug. Thanks.

Changed in cupsys:
status: Incomplete → Fix Released
Revision history for this message
Robert Di Gioia (digioiar) wrote :

Hi Till

Thanks for working on this, and sorry for the slow response, its been a busy week.

My system is up to date, with the updated version of cupsys installed (see below for output of dpkg-query -W), but my /etc/apparmor.d/usr.sbin.cupsd has not been updated since January. However, since I reported it in December, maybe it has been that long since it was fixed...either way, my system is working well.

Thanks again!

-rw-r--r-- 1 root root 3379 2008-01-16 21:48 usr.sbin.cupsd

robert@gandalf:/etc/apparmor.d> dpkg-query -W cupsys
cupsys 1.3.2-1ubuntu7.5

Revision history for this message
Casey Watson (watsoncj) wrote :

I noticed that Mathias' patch contained the following entry:

/etc/password m,

Is this a typo?

Revision history for this message
Martin Pitt (pitti) wrote :

Indeed it is, it should be /etc/passwd. However, I fixed that when I applied the patch to the package.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers