Ubuntu
cups package

cupsd is not allowed to access /var/cache/samba/gencache.tdb by apparmor

Bug #1371097 reported by Theodotos Andreou on 2014-09-18

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	cups (Ubuntu)	Fix Released	Undecided	Jamie Strandboge

Bug Description

For some reason /usr/sbin/cupsd tries to access /var/cache/samba/gencache.tdb. I have a printer setup via samba so that may be the reason.

The apparmor profile for cupsd does not allow this. I get this error in the logs:

kernel: [284527.967015] type=1400 audit(1411040510.770:103): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/var/cache/samba/gencache.tdb" pid=1722 comm="smb" requested_mask="r" denied_mask="r" fsuid=7 ouid=0

A listing of the apparmor profile (/etc/apparmor.d/usr.sbin.cupsd) is here:
http://pastebin.ubuntu.com/8372024/

The file /etc/apparmor.d/usr.sbin.cupsd belongs to the cups-daemon package

The system silently fails to print from GUI. The fanny part is that I printed something successfully the day I set the printer up (yesterday).

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: cups-daemon 1.7.2-0ubuntu1.2
ProcVersionSignature: Ubuntu 3.13.0-35.62-generic 3.13.11.6
Uname: Linux 3.13.0-35-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.14.1-0ubuntu3.4
Architecture: amd64
CupsErrorLog:

Date: Thu Sep 18 15:27:52 2014
InstallationDate: Installed on 2014-09-01 (17 days ago)
InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2)
Lpstat: device for SRB01PR001: smb://prs03ist00.lim.tepak.int/SRB01PR001
MachineType: Apple Inc. MacPro5,1
Papersize: a4
PpdFiles: SRB01PR001: HP Color LaserJet CP3505 Postscript (recommended)
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.13.0-35-generic.efi.signed root=/dev/mapper/ubuntu--vg-root ro quiet splash vt.handoff=7
SourcePackage: cups
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 10/07/10
dmi.bios.vendor: Apple Inc.
dmi.bios.version: MP51.88Z.007F.B03.1010071432
dmi.board.asset.tag: 0
dmi.board.name: Mac-F221BEC8
dmi.board.vendor: Apple Inc.
dmi.chassis.type: 7
dmi.chassis.vendor: Apple Inc.
dmi.chassis.version: Mac-F221BEC8
dmi.modalias: dmi:bvnAppleInc.:bvrMP51.88Z.007F.B03.1010071432:bd10/07/10:svnAppleInc.:pnMacPro5,1:pvr0.0:rvnAppleInc.:rnMac-F221BEC8:rvr:cvnAppleInc.:ct7:cvrMac-F221BEC8:
dmi.product.name: MacPro5,1
dmi.product.version: 0.0
dmi.sys.vendor: Apple Inc.
modified.conffile..etc.default.cups:
# Cups configure options

# LOAD_LP_MODULE: enable/disable to load "lp" parallel printer driver module
# LOAD_LP_MODULE has migrated to /etc/modules-load.d/cups-filters.conf
# LOAD_LP_MODULE=yes
mtime.conffile..etc.default.cups: 2014-07-23T01:20:18

Tags:

Revision history for this message

Theodotos Andreou (theodotos) wrote on 2014-09-18:

BootDmesg.txt Edit (97.3 KiB, text/plain; charset="utf-8")
CurrentDmesg.txt Edit (46.8 KiB, text/plain; charset="utf-8")
Dependencies.txt Edit (5.5 KiB, text/plain; charset="utf-8")
KernLog.txt Edit (7.6 KiB, text/plain; charset="utf-8")
Locale.txt Edit (314 bytes, text/plain; charset="utf-8")
Lspci.txt Edit (90.5 KiB, text/plain; charset="utf-8")
Lsusb.txt Edit (1.2 KiB, text/plain; charset="utf-8")
PrintingPackages.txt Edit (1.1 KiB, text/plain; charset="utf-8")
ProcCpuinfo.txt Edit (6.5 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (295 bytes, text/plain; charset="utf-8")
ProcInterrupts.txt Edit (6.0 KiB, text/plain; charset="utf-8")
ProcModules.txt Edit (6.2 KiB, text/plain; charset="utf-8")
UdevDb.txt Edit (202.1 KiB, text/plain; charset="utf-8")
UdevLog.txt Edit (427.8 KiB, text/plain; charset="utf-8")

Revision history for this message

Till Kamppeter (till-kamppeter) wrote on 2014-09-18:

pitti, can you have a look what is missing here in the AppArmor profile? Thanks.

Revision history for this message

Martin Pitt (pitti) wrote on 2014-09-19:

I have no idea what that file is, but reading it seems quite save. So just add

/var/cache/samba/*.tdb r,

where the other samba related permissions are.

Changed in cups (Ubuntu):
status:	New → Triaged
no longer affects:	samba (Ubuntu)

Revision history for this message

Theodotos Andreou (theodotos) wrote on 2014-09-19:

Hi Martin,

I added the following lines at the end of /etc.apparmor.d/usr.sbin.cupsd:

# cupsd needs access to /var/cache/samba/gencache.tdb

/var/cache/samba/*.tdb r,
}

Restarted the computer and I still get:

http://paste.ubuntu.com/8379136/

Cups thinks that everything is OK:

localhost - - [19/Sep/2014:14:04:52 +0300] "POST /printers/SRB01PR001 HTTP/1.1" 200 259046 Print-Job successful-ok

Revision history for this message

Martin Pitt (pitti) wrote on 2014-09-19: Re: [Bug 1371097] Re: cupsd is not allowed to access /var/cache/samba/gencache.tdb by apparmor

Theodotos Andreou [2014-09-19 11:11 -0000]:
> Restarted the computer and I still get:

That might not be enough. Can you please try

sudo /etc/init.d/apparmor teardown
sudo /etc/init.d/apparmor start

after the profile update (well, you already made that)? That should
rebuild the binary apparmor profiles.

If that doesn't help either, I'm afraid I don't know either; that's a
question for the AppArmor folks then.

Revision history for this message

Theodotos Andreou (theodotos) wrote on 2014-09-22:

The teardown option did the trick!

Thanks Martin!

Revision history for this message

Theodotos Andreou (theodotos) wrote on 2014-09-22:

Should I prepare a patch?

Jamie Strandboge (jdstrand) on 2014-09-24

Changed in cups (Ubuntu):
assignee:	nobody → Jamie Strandboge (jdstrand)
status:	Triaged → In Progress

Jamie Strandboge (jdstrand) on 2014-09-24

Changed in cups (Ubuntu):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-09-26:

This bug was fixed in the package cups - 1.7.5-2ubuntu1

---------------
cups (1.7.5-2ubuntu1) utopic; urgency=medium

  * debian/local/apparmor-profile:
    - move Ux to Cx -> third_party and provie a third_party child profile. In
      this manner, we can add some modest confinement (can't change MAC
      policy, change_profile or mount) but more importantly it allows us to
      specify peer=third_party to restrict where the strictly confined cups
      process can send signals (LP: #1370930)
    - allow r of /var/cache/samba/*.tdb (LP: #1371097)
    - allow r of /var/{cache,lib}/samba/printing/printers.tdb
-- Jamie Strandboge <email address hidden> Wed, 24 Sep 2014 11:24:03 -0500

Changed in cups (Ubuntu):
status:	Fix Committed → Fix Released

Revision history for this message

TEN (launchpad-20-ten) wrote on 2015-08-11:

Probably triggered by some recent package update,
Ubuntu 14.04.3 LTS 3.13.0-61-generic #100-Ubuntu SMP Wed Jul 29 11:21:34 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
reports in /var/log/kern.log:

type=1400 audit(1439324668.029:103): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/var/cache/samba/gencache.tdb" pid=1019 comm="smb" requested_mask="r" denied_mask="r" fsuid=7 ouid=0

The above message can be prevented by this addition to /etc/apparmor.d/usr.sbin.cupsd from bug 1371097 after the following comment:

# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.cupsd>

/var/cache/samba/*.tdb r,

However, another error follows, also repeatedly:

type=1400 audit(1439325510.504:68): apparmor="DENIED" operation="signal" profile="/usr/sbin/cupsd" pid=952 comm="cupsd" requested_mask="send" denied_mask="send" signal=term peer="unconfined"

For this one, suggestions not directly applicable to LTS seem to be made in bug 1370930 with a fix for other versions.
How can this best be applied to also fix Ubuntu 14.04.3 ?

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntucups package

cupsd is not allowed to access /var/cache/samba/gencache.tdb by apparmor

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
cups package