apparmor should have a 'usr' tunable

Bug #160002 reported by Valéry FRONTERE on 2007-11-04
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Jamie Strandboge
cupsys (Ubuntu)

Bug Description

Binary package hint: cupsys

Following upgrade feisty-gutsy cupsd doesn't launch anymore.

root@valeryb:/etc# cupsd
cupsd: error while loading shared libraries: cannot open shared object file: No such file or directory

ldconfig find it.

A small strace:
root@valeryb:/etc# strace cupsd
execve("/usr/sbin/cupsd", ["cupsd"], [/* 51 vars */]) = 0
brk(0) = 0x80a5000
access("/etc/", F_OK) = -1 ENOENT (No such file or directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f6b000
access("/etc/", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=75148, ...}) = 0
mmap2(NULL, 75148, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f58000
close(3) = 0
access("/etc/", F_OK) = -1 ENOENT (No such file or directory)
open("/usr/lib/", O_RDONLY) = -1 EACCES (Permission denied) <<<********************* here
open("/lib/tls/i686/sse2/cmov/", O_RDONLY) = -1 ENOENT (No such file or directory)

A small C prog opens lib OK:
int main(int argc, char *argv[])
    int i;
    i=open("/usr/lib/", O_RDONLY);

-> OK result, and not EACCESS

Perhaps something special for me, /usr/lib is a symbolic link to another fs.

Any idea?

Related branches

Valéry FRONTERE (vfrontere) wrote :

In fact the problem should not be specific to cupsys.

ldd reports librairies not found in cupsd but found in cupsenable or others binaries!

root@valeryb:/home/valery# ldd /usr/sbin/cupsd => (0xffffe000) => not found => not found => not found => /lib/ (0xb7ef6000) => not found => not found => not found => not found => /lib/tls/i686/cmov/ (0xb7edd000) => not found => not found => /lib/tls/i686/cmov/ (0xb7d93000) => /lib/tls/i686/cmov/ (0xb7d8e000)
        /lib/ (0xb7f17000)
root@valeryb:/home/valery# ldd /usr/sbin/cupsenable => (0xffffe000) => /home/usr/lib/ (0xb7f32000) => /lib/tls/i686/cmov/ (0xb7f1a000) => /lib/tls/i686/cmov/ (0xb7dcf000) => /home/usr/lib/ (0xb7da6000) => /home/usr/lib/ (0xb7d1e000) => /home/usr/lib/ (0xb7cf9000) => /lib/ (0xb7cf6000) => /home/usr/lib/ (0xb7c86000) => /lib/tls/i686/cmov/ (0xb7c60000) => /lib/tls/i686/cmov/ (0xb7c32000) => /home/usr/lib/ (0xb7c1d000)
        /lib/ (0xb7f7d000) => /home/usr/lib/ (0xb7c15000) => /lib/tls/i686/cmov/ (0xb7c11000) => /lib/ (0xb7c0e000) => /lib/tls/i686/cmov/ (0xb7bfb000) => /home/usr/lib/ (0xb7beb000) => /home/usr/lib/ (0xb7be7000) => /home/usr/lib/ (0xb7b96000)

Brian Murray (brian-murray) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. It would be helpful to know which particular version of cupsys you have installed. You can check via the command 'dpkg -l cupsys | cat' in a terminal. Thanks in advance.

Changed in cupsys:
status: New → Incomplete
Brian Murray (brian-murray) wrote :

We are closing this bug report as it lacks the information, described in the previous comments, we need to investigate the problem further. However, please reopen it if you can give us the missing information and feel free to submit bug reports in the future.

Changed in cupsys:
status: Incomplete → Invalid
JanCeuleers (jan-ceuleers) wrote :

I also have this problem. Requested information follows.

root@via:~# dpkg -l cupsys | cat
| Status=Not/Installed/Config-f/Unpacked/Failed-cfg/Half-inst/t-aWait/T-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
iF cupsys 1.3.2-1ubuntu7.6 Common UNIX Printing System(tm) - server

JanCeuleers (jan-ceuleers) wrote :

Missing information, which caused the bug to have been closed previously, has now been provided.
Moreover, the bug also occurs on my system, which is a different system from that of the original reporter, such that the bug is confirmed.

Changed in cupsys:
status: Invalid → Confirmed
JanCeuleers (jan-ceuleers) wrote :

The problem appears to be related to AppArmor. Stopping AppArmor before starting cupsys removes the symptom of cupsd not being able to load
As with the original reporter, on my system /usr/lib is a soft link to another file system.

Kees Cook (kees) wrote :

AppArmor abstractions need to be updated to include a configurable "/usr" path.

Changed in cupsys:
importance: Undecided → Wishlist
status: Confirmed → Triaged
status: Triaged → Invalid
Changed in apparmor:
importance: Undecided → Wishlist
status: New → Triaged
James (james-bateman) wrote :

I can confirm cupsd fails to load when /usr/lib is a symlink to another file system. It reports:

cupsd: error while loading shared libraries: cannot open shared object file: No such file or directory

Perhaps more importantly, 'ldd /usr/sbin/cupsd' reported many libraries as 'not found'.

Both of these symptoms are resolved by moving the lib directory back to /usr/ and dispensing with the symlink.

I do not have enough knowledge to say whether this is a bug, or merely a matter of configuring AppArmour.

James (james-bateman) wrote :

$ lsb_release -a
Distributor ID: Ubuntu
Description: Ubuntu 9.04
Release: 9.04
Codename: jaunty

summary: - cupsd doesn't launch because EACCESS
+ apparmor should have a 'usr' tunable
JanCeuleers (jan-ceuleers) wrote :

The recent change of description of this bug suggests a particular solution to the problem, which I think is incomplete.

The problem occurs on my machine because, although /usr is located on the root filesystem, several of the directories under /usr are soft links to targets on a different filesystem. I need to do this because the root filesystem is a smallish flash disk that does not have enough space to hold some of the files that are needed only late in the boot process (such as X etc).

I have fixed this by changing all of the apparmor configuration files that contain impacted paths to include the target path. Laborious, although such an update could probably be automated.

Perhaps a dpkg-reconfigure hook could be added to enable the admin to update the apparmor config files when particular files or directories have been moved.

Jamie Strandboge (jdstrand) wrote :

Jan, your configuration is highly specialized and the complexity of implementing this in packaging would be high and likely incomplete for others with different setups. That said, providing an easy way for people to use aliases with examples in tunables/alias would make it so people with these specialized setups (like yourself) could modify one file instead of many.

Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Triaged → In Progress
milestone: none → lucid-alpha-3
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.3.1+bzr1312-0ubuntu4

apparmor (2.3.1+bzr1312-0ubuntu4) lucid; urgency=low

  * 0001-tunable-alias.patch: backport r1330 to make it easier for people
    to use AppArmor's alias rules (LP: #160002)
 -- Jamie Strandboge <email address hidden> Mon, 11 Jan 2010 14:31:06 -0600

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers