AppArmor parser error for /etc/apparmor.d/usr.sbin.cupsd

Forgot to mention that I'm using Kubuntu 12.04.

I think I found the culprit: I was modifying an AppArmor profile for Thunderbird. When I executed aa-logprof, I got the following message:

Enforce-mode changes:

Profile: /usr/sbin/cupsd
Capability: block_suspend
Severity: unexpected capability rank input: CAP_BLOCK_SUSPEND

If you select "Allow", you will run into the problem mentioned above.

I've no idea why creating/modifying a Thunderbird profile affects the cupsd profile and why that capability is added.

What is the output of the following command:
$ cat /proc/version_signature

pitti, can you have a look into this, probably rather an AppArmor than CUPS problem.

@jdstrand:
Ubuntu 3.5.0-14.18~precise1-generic 3.5.3

I've added https://launchpad.net/~ubuntu-x-swat/+archive/q-lts-backport to my repositories. Perhaps related to that one?

I have the same cups profile, and I don't get that error message. Jamie, any idea what this could mean? Thanks!

It happened again. I finetuned the Thunderbird profile with aa-logprof, and again it wanted to modify the cupsd profile by adding that capability.

It also happened when I tweaked my Google Chrome profile with aa-logprof. I chose "Finish".

Anyway, /var/log/syslog says:

[ 5303.439870] type=1400 audit(1348065251.369:4090): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=1235 comm="cupsd" pid=1235 comm="cupsd" capability=36 capname="block_suspend"

BLOCK_SUSPEND is a capability in newer kernels. 'deny capability block_suspend,' is found in the 12.10 CUPS profile, which is fine since the 12.10 kernel has it and the apparmor userspace for 12.10 was compiled against the 12.10 kernel headers. However, on 12.04 the apparmor userspace was compiled with older headers and so it doesn't understand this rule.

tlu, what version of cups are you using? Can you give the output of:
$ apt-cache policy cups

@Jamie: I understand, that explains it. Thanks a lot!

I'm using cips 1.5.3-0ubuntu4

tlu, can you please attach the output of:
$ apparmor_parser -p /etc/apparmor.d/usr.sbin.cupsd

Sure - see the attachment.

Thanks for the added information. Your /etc/apparmor.d/local/usr.sbin.cupsd has a lot of extra entries in it. By default it will be empty but it is there for people to use for site-local configuration updates. I see that you currently have:
  # capability block_suspend,

Which clearly you commented out to avoid the bug. Perhaps you tried a newer cups and made these additions so it would work? Regardless, unless you have a specific reason to do so, I suggest clearing out all the extra entries in /etc/apparmor.d/local/usr.sbin.cupsd for now.

Marking "Invalid" since this bug was due to local changes.

Jamie, now I'm confused. As a matter of fact, /etc/apparmor.d/local/usr.sbin.cupsd here is completely empty.

And, yes, I commented out

# capability block_suspend,

in /etc/apparmor.d/usr.sbin.cupsd in order to avoid this bug. I noticed that it was shown in the attachment under ##included <local/usr.sbin.cupsd> - but again, /etc/apparmor.d/local/usr.sbin.cupsd is empty on my system.

That is odd and probably may be a bug in apparmor_parser. However, clearly you have policy from the Ubuntu 12.10 package because 12.04 LTS does not have 'block_suspend'. Can you attach a tarball of /etc/apparmor.d? Eg:

$ sudo tar -zcvf /tmp/1052098.tar.gz /etc/apparmor.d/

You have a usr.sbin.cupsd~ file. Can you remove this then do 'sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.cupsd' then reboot? I think it might be overriding the other.

Jamie, I'm sorry but I've just done a release upgrade to Quantal. I guess your suggestion won't give us new insights now, will it?