Ubuntu
brother-cups-wrapper-ac package

Audit failure in CUPS for Brother DCP-9045CDN

Bug #237256 reported by Dave Wolfe
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Invalid
Undecided
Unassigned
Intrepid
Invalid
Undecided
Unassigned
Jaunty
Invalid
Undecided
Unassigned
brother-cups-wrapper-ac (Ubuntu)
Invalid
Undecided
Unassigned
Intrepid
Invalid
Undecided
Unassigned
Jaunty
Invalid
Undecided
Unassigned
cups (Ubuntu)
Fix Released
Undecided
Martin Pitt
Intrepid
Fix Released
Undecided
Unassigned
Jaunty
Fix Released
Undecided
Martin Pitt

Bug Description

Binary package hint: brother-cups-wrapper-ac

Hardy Heron 8.04 (desktop), package brother-cups-wrapper-ac version 1.0.0-7-0ubuntu3

After installing the package and adding a DCP-9045CDN network printer, CUPS reports "permission denied" for /usr/Brother/Printer/dcp9045cdn/cupswrapper/brlpdwrapper_dcp9045cdn and fails to print. Logged error is:

Jun 3 22:29:30 www kernel: [106056.326361] audit(1212550170.759:4): type=1503 operation="inode_permission" requested_mask="Ux::" denied_mask="Ux::" name="/usr/Brother/Printer/dcp9045cdn/cupswrapper/brlpdwrapper_dcp9045cdn" pid=22741 profile="/usr/sbin/cupsd" namespace="default"

Stopping apparmor allows the printer to work, at least until auditing is started again. Perhaps the apparmor configuration needs to be updated when new drivers are installed?

Revision history for this message
Mathias Gug (mathiaz) wrote :

The profile for cups is in the cupsys package. Marking as Invalid for the apparmor package.

Changed in apparmor:
status: New → Invalid
Revision history for this message
Alexander Kirillov (shurik179) wrote :

Bug still present in Ubuntu 8.10

Revision history for this message
Saivann Carignan (oxmosys) wrote :

I really don't know if this should be fixed in cupsd package or in my packages. brother-cups-wrapper-* also provides apparmor rules? If someone who knows well apparmor can take a look at this issue, it might be useful.

Revision history for this message
Alexander Kirillov (shurik179) wrote :

An easy way to fix it would be to do it in cupsd package, by adding to the profile file /etc/apparmor.d/usr.sbin.cupsd a line
/usr/Brother/Printer/** rix

It will do no harm if brother drivers are not present

One could also make change in brother-cups-wrapper-*, but I ma not certain what would be the best way of doing this. A post-install script that modifies /etc/apparmor.d/usr.sbin.cupsd , probably?

Revision history for this message
Alexander Kirillov (shurik179) wrote :

Another thought: one could also get an easy fix by changing location of installed drevers, istalling them not in /usr/Brother/... but, e.g., in /opt/Brother/... (the cupsd profile already contains line
/opt/** rix )

Revision history for this message
Saivann Carignan (oxmosys) wrote :

Alexander Kirillov : Thanks for your guidance. Do you think that it might be realistic for Brother packages to provide their own apparmor profile which would have an impact on cups profile as well? Or is it an obligation to modify the file in current cups profile? If this can't be fixed by adding a new apparmor profile and that we have to modify files in cups apparmor profile, this have to be fixed in cups package itself.

Revision history for this message
Alexander Kirillov (shurik179) wrote :

I am not an expert on apparmor at all, so I do not know whether adding a new profile can modify the existing one. Probably we have to ask in appropriate mailing list.

Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

pitti, can you have a look what goes wrong with AppArmor here?

Revision history for this message
Martin Pitt (pitti) wrote :

Can you please download this new apparmor profile and install it with

  sudo cp usr.sbin.cupsd /etc/apparmor.d/
  sudo /etc/init.d/apparmor restart

and test whether it works?

Changed in brother-cups-wrapper-ac:
status: New → Invalid
Changed in cupsys:
assignee: nobody → pitti
status: New → Incomplete
Revision history for this message
Alexander Kirillov (shurik179) wrote :

Worked perfectly. I even ran
 sudo aa-enforce cupsd
to make sure that I had not earlier disabled audit

So please commit it....

Revision history for this message
Martin Pitt (pitti) wrote :

Thanks for testing! Committed to packaging trunk, will upload soon.

Changed in cupsys:
status: Incomplete → Fix Committed
Martin Pitt (pitti)
Changed in brother-cups-wrapper-ac:
status: New → Invalid
Changed in apparmor:
status: New → Invalid
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cups - 1.3.9-10

---------------
cups (1.3.9-10) experimental; urgency=low

  [ Till Kamppeter ]
  * debian/local/filters/pdf-filters/pdftopdf/P2PCatalog.cxx,
    debian/local/filters/pdf-filters/pdftopdf/P2PCatalog.h,
    debian/local/filters/pdf-filters/pdftopdf/P2PDoc.cxx,
    debian/local/filters/pdf-filters/pdftopdf/P2PDoc.h,
    debian/local/filters/pdf-filters/pdftopdf/P2PPage.cxx,
    debian/local/filters/pdf-filters/pdftopdf/P2PPage.h,
    debian/local/filters/pdf-filters/pdftopdf/P2PPageTree.cxx,
    debian/local/filters/pdf-filters/pdftopdf/P2PPageTree.h,
    debian/local/filters/pdf-filters/pdftopdf/pdftopdf.cxx: Fixed problem
    of Landscape-oriented PDF files being printed in the wrong orientation
    (LP: #47649, LP: #244840).

  * debian/local/filters/cpdftocps: Made correct number of copies being
    printed on PostScript printers with hardware copy handling (LP: #286048).

  [ Martin Pitt ]
  * debian/local/apparmor-profile: Allow cupsd to run Brother drivers.
    (LP: #237256)

 -- Martin Pitt <email address hidden> Wed, 17 Dec 2008 07:46:04 +0100

Changed in cups:
status: Fix Committed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

Accepted cups into intrepid-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in cups:
status: New → Fix Committed
Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

Can someone approve my uploaded cups 1.3.9-2ubuntu6 into -proposed? 1.3.9-2ubuntu5 is broken and prevents printing nearly completely.

Revision history for this message
Martin Pitt (pitti) wrote :

1.3.9-2ubuntu6 accepted into intrepid-proposed, please test this version instead. Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cups - 1.3.9-2ubuntu6

---------------
cups (1.3.9-2ubuntu6) intrepid-proposed; urgency=low

  * debian/local/filters/cpdftocps: Fixed the fix for the number of copies.
    In some cases it failed and pstops was called with 0 copies
    requested. (LP: #309314)

cups (1.3.9-2ubuntu5) intrepid-proposed; urgency=low

  [ Till Kamppeter ]
  * debian/local/filters/pdf-filters/pdftopdf/P2PCatalog.cxx,
    debian/local/filters/pdf-filters/pdftopdf/P2PCatalog.h,
    debian/local/filters/pdf-filters/pdftopdf/P2PDoc.cxx,
    debian/local/filters/pdf-filters/pdftopdf/P2PDoc.h,
    debian/local/filters/pdf-filters/pdftopdf/P2PPage.cxx,
    debian/local/filters/pdf-filters/pdftopdf/P2PPage.h,
    debian/local/filters/pdf-filters/pdftopdf/P2PPageTree.cxx,
    debian/local/filters/pdf-filters/pdftopdf/P2PPageTree.h,
    debian/local/filters/pdf-filters/pdftopdf/pdftopdf.cxx,
    debian/local/filters/pdf-filters/pdftopdf/P2PResources.cxx: Fixed problem
    of Landscape-oriented PDF files being printed in the wrong orientation
    (LP: #47649), added processing of the rotate tag (intrepid
    regression) (LP: #300312).
  * debian/local/filters/cpdftocps: Made correct number of copies
    being printed on PostScript printers with hardware copy handling
    (LP: #286048).

  [ Martin Pitt ]
  * debian/local/apparmor-profile: Allow cupsd to run Brother drivers.
    (LP: #237256)

 -- Till Kamppeter <email address hidden> Fri, 19 Dec 2008 15:58:55 +0100

Changed in cups:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.