Ubuntu
cups package

cups and cups-pdf denials in snapd autopkgtests on zesty

Bug #1675503 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cups (Ubuntu)
Fix Released
Medium
Jamie Strandboge

Bug Description

https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-zesty/zesty/amd64/s/snapd/20170323_131353_98370@/log.gz:

[ 1146.168148] audit: type=1400 audit(1490272816.901:880): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/cups/backend/cups-pdf" pid=26489 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/cupsd"
[ 1146.168154] audit: type=1400 audit(1490272816.901:881): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/cupsd" pid=26489 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/cups/backend/cups-pdf"
[ 1146.190654] audit: type=1400 audit(1490272816.921:882): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/etc/cups/ppd/PDF.ppd" pid=26489 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 1146.191113] audit: type=1400 audit(1490272816.921:883): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/etc/cups/ppd/PDF.ppd" pid=26489 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 1146.191710] audit: type=1400 audit(1490272816.921:884): apparmor="DENIED" operation="mknod" profile="/usr/lib/cups/backend/cups-pdf" name="/var/log/cups/cups-pdf-PDF_log" pid=26489 comm="cups-pdf" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

Tags: apparmor
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

From the denials, it seems like adding this to the cups profile:

  unix peer=(label=/usr/lib/cups/backend/cups-pdf),

and this to cups-pdf:

  /etc/cups/ppd/*.ppd r,
  /var/log/cups/cups-pdf-*_log rw,
  unix peer=(label=/usr/sbin/cupsd),

should fix the issue (untested).

summary: - sups and cups-pdf denials in snapd autopkgtests
+ cups and cups-pdf denials in snapd autopkgtests
summary: - cups and cups-pdf denials in snapd autopkgtests
+ cups and cups-pdf denials in snapd autopkgtests on zesty
Jamie Strandboge (jdstrand)
Changed in cups (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Medium
status: New → In Progress
tags: added: apparmor
Jamie Strandboge (jdstrand)
Changed in cups (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

FYI, I noticed Ubuntu was in sync with Debian so I filed https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858571.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cups - 2.2.2-1ubuntu1

---------------
cups (2.2.2-1ubuntu1) zesty; urgency=medium

  * debian/local/apparmor-profile:
    - allow cupsd and cups-pdf to communicate via Unix sockets (LP: #1675503)
    - adjust cups-pdf log location
    - allow cups-pdf to read /etc/cups/ppd/*.ppd
    - silence noisy denials for cupsd occasionally trying to send signals to
      unconfined
    - allow capability wake_alarm (seen in LP: 1641985)

 -- Jamie Strandboge <email address hidden> Thu, 23 Mar 2017 17:55:49 +0000

Changed in cups (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.