Ubuntu
apparmor package

CUPS not starting due to error reading `/proc/sys/crypto/fips_enabled'

Bug #392337 reported by Muelli on 2009-06-25

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	apparmor (Ubuntu)	Fix Released	Undecided	Unassigned
	cups (Ubuntu)	Invalid	Undecided	Unassigned

Bug Description

Binary package hint: cups

This might be a dup of bug 335898. However, the suggested reinstallation of "libgcrypt" doesn't work for me.

muelli@xbox:~$ sudo apt-get --reinstall install libgcrypt
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package libgcrypt
muelli@xbox:~$

Here's my problem:
muelli@xbox:~$ sudo /usr/sbin/cupsd -f
FATAL: error reading `/proc/sys/crypto/fips_enabled' in libgcrypt: Permission denied
Aborted (core dumped)
muelli@xbox:~$ echo $?
134
muelli@xbox:~$ tail -n2 /var/log/messages
Jun 26 00:58:25 xbox kernel: [31565.464104] type=1503 audit(1245970705.812:18): operation="sysctl" requested_mask="r::" denied_mask="r::" fsuid=0 name="/proc/sys/crypto/fips_enabled" pid=24101 profile="/usr/sbin/cupsd"
Jun 26 00:58:45 xbox kernel: [31585.454942] type=1503 audit(1245970725.800:19): operation="sysctl" requested_mask="r::" denied_mask="r::" fsuid=0 name="/proc/sys/crypto/fips_enabled" pid=24107 profile="/usr/sbin/cupsd"
muelli@xbox:~$ ldd /usr/sbin/cupsd | grep gcrypt
libgcrypt.so.11 => /lib/libgcrypt.so.11 (0x00007fe01ae4c000)
muelli@xbox:~$ sudo strace -fv -o /tmp/trace /usr/sbin/cupsd -f
FATAL: error reading `/proc/sys/crypto/fips_enabled' in libgcrypt: Permission denied
muelli@xbox:~$ ls -l /tmp/trace
-rw-r--r-- 1 root root 104600 2009-06-26 01:00 /tmp/trace
muelli@xbox:~$ sudo /etc/init.d/apparmor stop
* Unloading AppArmor profiles [ OK ]
muelli@xbox:~$ sudo /usr/sbin/cupsd -f

So, after stopping AppArmor, it works.

ProblemType: Bug
Architecture: amd64
CupsErrorLog:

DistroRelease: Ubuntu 9.04
Lpstat: Error: command ['lpstat', '-v'] failed with exit code 1: lpstat: Unable to connect to server
MachineType: LENOVO 766636G
Package: cups 1.3.9-17ubuntu3.1
Papersize: letter
PpdFiles:
InliDrucker: HP PhotoSmart C5100 Foomatic/hpijs (recommended)
MFC-425CN: Generic text-only printer
Samsung: Samsung CLP-550 Series (PS)
ProcCmdLine: root=/dev/mapper/cryptroot source=UUID=9c3d5596-27c6-4fd5-bfcd-fa8eef6f1230 ro quiet splash
ProcVersionSignature: Ubuntu 2.6.28-11.42-generic
SourcePackage: cups

Tags:

Related branches

lp:~ubuntu-core-dev/apparmor/ubuntu

lp:ubuntu/karmic/apparmor

Revision history for this message

Muelli (ubuntu-bugs-auftrags-killer) wrote on 2009-06-25:

cupsd strace Edit (102.1 KiB, text/html)
BootDmesg.txt Edit (49.2 KiB, text/plain; charset="utf-8")
CurrentDmesg.txt Edit (75.2 KiB, text/plain; charset="utf-8")
Dependencies.txt Edit (2.3 KiB, text/plain; charset="utf-8")
HalComputerInfo.txt Edit (3.0 KiB, text/plain; charset="utf-8")
Locale.txt Edit (305 bytes, text/plain; charset="utf-8")
Lspci.txt Edit (14.6 KiB, text/plain; charset="utf-8")
Lsusb.txt Edit (568 bytes, text/plain; charset="utf-8")
PrintingPackages.txt Edit (799 bytes, text/plain; charset="utf-8")
ProcCpuinfo.txt Edit (1.4 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (333 bytes, text/plain; charset="utf-8")
ProcInterrupts.txt Edit (1.5 KiB, text/plain; charset="utf-8")
ProcModules.txt Edit (4.0 KiB, text/plain; charset="utf-8")

Revision history for this message

Muelli (ubuntu-bugs-auftrags-killer) wrote on 2009-06-25:

FWIW:
reinstalling "libgcrypt11" doesn't help either
muelli@xbox:~$ sudo apt-get --reinstall install libgcrypt11
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
libicu4j-java
Use 'apt-get autoremove' to remove them.
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 7 not upgraded.
Need to get 0B/270kB of archives.
After this operation, 0B of additional disk space will be used.
Do you want to continue [Y/n]?
(Reading database ... 315412 files and directories currently installed.)
Preparing to replace libgcrypt11 1.4.4-2ubuntu1 (using .../libgcrypt11_1.4.4-2ubuntu1_amd64.deb) ...
Unpacking replacement libgcrypt11 ...
Setting up libgcrypt11 (1.4.4-2ubuntu1) ...

Processing triggers for libc6 ...
ldconfig deferred processing now taking place
muelli@xbox:~$ sudo /etc/init.d/apparmor start
* Starting AppArmor * Loading AppArmor profiles ... [ OK ]
[ OK ]
muelli@xbox:~$ sudo /etc/init.d/cups start
* Starting Common Unix Printing System: cupsd cupsd: Child exited on signal 6!
[fail]
muelli@xbox:~$

Revision history for this message

Ken D'Ambrosio (ken-jots) wrote on 2009-07-07:

I had the same problem; happened after I installed linux-image-2.6.28-6-386 (possibly a coincidence, but I'd be surprised). For me, at least, it was an apparmor issue:

root@bree:/etc/apparmor.d# ls -al /proc/sys/crypto/fips_enabled
-r--r--r-- 1 root root 0 Jul 7 10:18 /proc/sys/crypto/fips_enabled

Since its permissions are 444, it clearly should be allowed to read. I admit that, since it's my personal machine, I cheated, and, instead of learning how to fix it "right" in apparmor, I just did:

/etc/init.d/apparmor stop
chmod -x /etc/init.d/apparmor

NOTE: I do *NOT* recommend that as a work-around for a production or Internet-accessible box.

Revision history for this message

Andrea Gasparini (gaspa) wrote on 2009-07-08:

Confirmed, stopping apparmor let cups start correctly

affects:	cups (Ubuntu) → apparmor (Ubuntu)
Changed in apparmor (Ubuntu):
status:	New → Confirmed

Revision history for this message

xylo (stefan-endrullis) wrote on 2009-07-12:

Same for me.

Architecture: amd64
DistroRelease: Ubuntu 9.04

Revision history for this message

Leon (leonbo) wrote on 2009-07-20:

I added this line to /etc/apparmor.d/usr.sbin.cupsd:
/proc/sys/crypto/fips_enabled r,

Restarted apparmor and it worked.

Revision history for this message

aldebx (aldebx) wrote on 2009-07-25:

Thanks Leon, your tip worked!

The missing line can also be added as follows:

@{PROC}/sys/crypto/fips_enabled r,

where you see others @{PROC} lines

reloading apparmor is achieved by

sudo /etc/init.d/apparmor reload

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-07-25:

This bug was fixed in the package apparmor - 2.3.1+1403-0ubuntu7

---------------
apparmor (2.3.1+1403-0ubuntu7) karmic; urgency=low

* profiles/apparmor.d/abstractions/base: add /proc/sys/crypto (LP: #392337).

-- Kees Cook <email address hidden> Sat, 25 Jul 2009 09:04:46 -0700

Changed in apparmor (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2009-10-26:

Marking cups task as Invalid. The base abstraction has been fixed in apparmor and cups uses the base abstraction.

Changed in cups (Ubuntu):
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuapparmor package

CUPS not starting due to error reading `/proc/sys/crypto/fips_enabled'

Bug Description

Related branches

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
apparmor package