cups fails to print to network printer if resolvconf package is installed (apparmor)

Bug #286080 reported by schlehmil
34
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Low
Unassigned
Intrepid
Fix Released
Undecided
Jamie Strandboge

Bug Description

Binary package hint: cupsys

I spend some time to figure out this problem. A few days ago I did a clean network installation of current Ubuntu Intrepid and today I tried to print the first time with the new installation to a network attached printer. But instead of printing the document CUPS complained about not finding my printer.
Afaik the problem is the combination of cupsys, apparmor and resolvconf package. As cupsd tries to access "/etc/resolvconf/run/resolv.conf" when resolvconf is installed, the current cups apparmor profile prevents the access and failes.

[ 1589.722865] type=1503 audit(1224444992.988:13): operation="inode_permission" requested_mask="r::" denied_mask="r::" fsuid=0 name="/etc/resolvconf/run/resolv.conf" pid=14169 profile="/usr/sbin/cupsd"

My current solution is to append the line " /etc/resolvconf/run/resolv.conf r," to /etc/apparmor.d/usr.sbin.cupsd. After that printing works fine.

----------------------------------

Package: cupsys
Status: install ok installed
Priority: extra
Section: oldlibs
Installed-Size: 88
Maintainer: Ubuntu Core Developers <email address hidden>
Architecture: all
Source: cups
Version: 1.3.9-1
Depends: cups
Description: Common UNIX Printing System (transitional package)
 This is a dummy package to ease transition to new package name.
Original-Maintainer: Debian CUPS Maintainers <email address hidden>

Revision history for this message
William Fernando Merlotto (william-prognus) wrote :

Hi!
This problem is also happening in my installation of Ubuntu, which is updated throughout.
But I did as reviewed above, added the line freeing access to resolv.conf on apparmor and worked very well.

Thx!

Revision history for this message
Steve Langasek (vorlon) wrote :

this needs to be added to the apparmor namservice abstraction, not to cups.

Changed in cupsys:
status: New → Confirmed
Changed in apport:
importance: Undecided → Low
status: Confirmed → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Fix committed to revision 926 of bzr branch.

Changed in apparmor:
status: Triaged → Fix Committed
Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

Proposal for SRU

apparmor 2.3+1289-0ubuntu4 in Intrepid prevents applications using resolvconf and requiring the nameservice abstraction from working.

Impact: This bug currently affects two reported bugs

Bug #286080: cups fails to print to network printer if resolvconf package is installed
Bug #292580: clamav-freshclam update dns problem

but would affect all systems using resolvconf and using and the nameservice abstraction.

Fix: The fix has been commited to apparmor bzr as revision 926 - https://code.edge.launchpad.net/~ubuntu-core-dev/apparmor/ubuntu

Regression Potential: None are expected as the fix just allows apparmor to read resolv.conf from a different location.

I think it is important that this be applied as an SRU else users may turn apparmor off trying to get applications to function.

Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :
Changed in apparmor:
assignee: nobody → jdstrand
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks Stefan. These changes were already incorporated into the bzr branch, so I just used that. bug #271252 is being used for the SRU tacking, but I'll add a comment to look here too.

Changed in apparmor:
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.3+1289-0ubuntu5

---------------
apparmor (2.3+1289-0ubuntu5) jaunty; urgency=low

  * abstractions/nameservice: allow read access to
    /etc/resolvconf/run/resolv.conf (LP: #286080)
  * adjust src/grammar.y and src/scanner.l to account for the moved type=NNNN
    field in 2.6.27 kernels and capture non-matching logfile input instead of
    printing it to stdout (LP: #271252). Patch thanks to Jesse Michael and
    Steve Beattie.
    - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1310
  * add syslog test cases to testsuite. Patch thanks to Steve Beattie.
    - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1307
    - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1308
    - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1309

 -- Jamie Strandboge <email address hidden> Tue, 21 Oct 2008 09:09:58 -0500

Changed in apparmor:
status: Fix Committed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

Accepted into intrepid-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Revision history for this message
Tessa (unit3) wrote :

Just built and installed that updated package (https://launchpad.net/ubuntu/intrepid/+source/apparmor/2.3+1289-0ubuntu4.1) on intrepid/amd64, and I'm still having resolvconf complaints from clamd (headsup to jstrand). My kernel log contains lots of identical errors, that look like this:

kernel: [64349.416802] type=1502 audit(1225911697.794:4792): operation="inode_permission" requested_mask="::r" denied_mask="::r" fsuid=105 name="/etc/resolvconf/run/resolv.conf" pid=18074 profile="/usr/sbin/clamd"

Revision history for this message
Tessa (unit3) wrote :

After discussing with JD, looks like I assumed the package update did a force-reload on apparmor, which it didn't. After a force-reload, this seems to be fixed for me.

Thanks!

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I cannot reproduce. If I comment out the line in nameservice, and do:
$ sudo /etc/init.d/apparmor force-reload ; sudo /etc/init.d/clamav-daemon stop ; sudo /etc/init.d/clamav-daemon start
$ tail /var/log/kern.log
Nov 5 13:26:32 sec-intrepid-i386 kernel: [82343.462840] type=1503 audit(1225913192.088:50): operation="inode_permission" requested_mask="::r" denied_mask="::r" fsuid=116 name="/etc/resolvconf/run/resolv.conf" pid=14446 profile="/usr/sbin/clamd"

If I uncomment the line and do the above command, there is no error. Graeme only had some of the 2.3+1289-0ubuntu4.1 packages upgraded (we talked on IRC). Possibly the upgrade was not done via apt/update-manager or enabling -proposed was not done properly.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Also, Graeme built his own packages. As of now, the proposed apparmor packages are still queued to be built.

Revision history for this message
Tessa (unit3) wrote :

Ok, status update. I did build my own packages, since they hadn't been built in proposed when we were talking this afternoon. I downloaded the -0ubuntu4.1 packages from launchpad, got the deps with "apt-get build-dep apparmor", and build with "dpkg-buildpackage -b".

I just tried the steps JD suggested, which is to install upgrade all the apparmor packages on my system to the *4.1 versions, and reboot the machine. I've just done that, and right after boot, kern.log contained the following (twice):

Nov 5 17:50:53 mr-t kernel: [ 73.191306] type=1502 audit(1225936253.889:35): operation="inode_permission" requested_mask="::r" denied_mask="::r" fsuid=105 name="/etc/resolvconf/run/resolv.conf" pid=6368 profile="/usr/sbin/clamd"

So, the packages I build myself don't seem to have done the trick to fix things.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Graeme, can you check to see if /etc/apparmor.d/usr.sbin.clamd contains:
  #include <abstractions/nameservice>

Also, do you have multiple profiles defined for clamd (eg, maybe you backed up one in the /etc/apparmor.d directory and it is getting picked up)?

Revision history for this message
Tessa (unit3) wrote :

It does not contain that line, no.

I haven't manually defined any apparmor profiles, the first time I used apparmor was Tuesday after do-release-upgrade to intrepid made me install it. Everything I've got has come directly from either the Intrepid or the 4.1 proposed packages. Also, when I upgraded to 4.1, it didn't give me the typical debconf warning that I'd changed any config files and would I like to keep them or install the package maintainers' version, so I assumed it had replaced all the files in /etc/apparmor.d.

I've doublechecked, and /etc/apparmor.d/usr.sbin.clamd is the only file in /etc/apparmor.d that contains a reference to clamd.

As well, since installing the proposed 4.1 packages, now I'm getting complains about smbd:

Nov 6 00:21:35 mr-t kernel: [23514.474754] type=1502 audit(1225959695.171:1889): operation="inode_permission" requested_mask="rw::" denied_mask="w::" fsuid=0 name="/var/lib/samba/group_mapping.ldb" pid=17324 profile="/usr/sbin/smbd"

And I can see the following in /etc/apparmor.d/usr.sbin.smbd:

  /var/lib/samba/** rk,

So that explains that, I just don't know why that would be different from the original Intrepid package. It doesn't warn me about that very often though, so it may be that I just didn't notice it from the original package.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks Graeme. As Graeme stated, the clamd profile does not contain the line, and is therefore not the one shipped with the package and not relevant to this report. The samba packages do not ship an enforcing profile, and the smbd log message is also not relevant to this bug.

Graeme, if the smbd is the default profile from apparmor-profiles, please file a separate bug against apparmor-profiles.

Revision history for this message
Tessa (unit3) wrote :

As we just discovered on IRC, Jamie actually had an updated version of the config and mine was the package version, so Jamie's updated config will have to make it into the clamav-daemon package at some point to fully fix this bug. :)

I'll also open an issue about that smbd stuff, since it does seem to be the package version of that config as well.

Revision history for this message
Martin Pitt (pitti) wrote :

Tested in bug 296492.

Revision history for this message
Martin Pitt (pitti) wrote :

Copied to intrepid-updates.

Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.