desktop-packages team mailing list archive

Thread
Date

[Bug 1371097] Re: cupsd is not allowed to access /var/cache/samba/gencache.tdb by apparmor

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: TEN <1371097@xxxxxxxxxxxxxxxxxx>
Date: Tue, 11 Aug 2015 22:06:38 -0000
Reply-to: Bug 1371097 <1371097@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Probably triggered by some recent package update, 
Ubuntu 14.04.3 LTS 3.13.0-61-generic #100-Ubuntu SMP Wed Jul 29 11:21:34 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
reports in /var/log/kern.log:

type=1400 audit(1439324668.029:103): apparmor="DENIED" operation="open"
profile="/usr/sbin/cupsd" name="/var/cache/samba/gencache.tdb" pid=1019
comm="smb" requested_mask="r" denied_mask="r" fsuid=7 ouid=0

The above message can be prevented by this addition to
/etc/apparmor.d/usr.sbin.cupsd from bug 1371097 after the following
comment:

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.cupsd>

  /var/cache/samba/*.tdb r,

However, another error follows, also repeatedly:

type=1400 audit(1439325510.504:68): apparmor="DENIED" operation="signal"
profile="/usr/sbin/cupsd" pid=952 comm="cupsd" requested_mask="send"
denied_mask="send" signal=term peer="unconfined"

For this one, suggestions not directly applicable to LTS seem to be made in bug 1370930 with a fix for other versions.
How can this best be applied to also fix Ubuntu 14.04.3 ?

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1371097

Title:
  cupsd is not allowed to access /var/cache/samba/gencache.tdb by
  apparmor

Status in cups package in Ubuntu:
  Fix Released

Bug description:
  For some reason /usr/sbin/cupsd tries to access
  /var/cache/samba/gencache.tdb. I have a printer setup via samba so
  that may be the reason.

  The apparmor profile for cupsd does not allow this. I get this error
  in the logs:

   kernel: [284527.967015] type=1400 audit(1411040510.770:103):
  apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd"
  name="/var/cache/samba/gencache.tdb" pid=1722 comm="smb"
  requested_mask="r" denied_mask="r" fsuid=7 ouid=0

  A listing of the apparmor profile (/etc/apparmor.d/usr.sbin.cupsd) is here:
  http://pastebin.ubuntu.com/8372024/

  The file /etc/apparmor.d/usr.sbin.cupsd belongs to the cups-daemon
  package

  The system silently fails to print from GUI. The fanny part is that I
  printed something successfully the day I set the printer up
  (yesterday).

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: cups-daemon 1.7.2-0ubuntu1.2
  ProcVersionSignature: Ubuntu 3.13.0-35.62-generic 3.13.11.6
  Uname: Linux 3.13.0-35-generic x86_64
  NonfreeKernelModules: wl
  ApportVersion: 2.14.1-0ubuntu3.4
  Architecture: amd64
  CupsErrorLog:
   
  Date: Thu Sep 18 15:27:52 2014
  InstallationDate: Installed on 2014-09-01 (17 days ago)
  InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2)
  Lpstat: device for SRB01PR001: smb://prs03ist00.lim.tepak.int/SRB01PR001
  MachineType: Apple Inc. MacPro5,1
  Papersize: a4
  PpdFiles: SRB01PR001: HP Color LaserJet CP3505 Postscript (recommended)
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.13.0-35-generic.efi.signed root=/dev/mapper/ubuntu--vg-root ro quiet splash vt.handoff=7
  SourcePackage: cups
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 10/07/10
  dmi.bios.vendor: Apple Inc.
  dmi.bios.version: MP51.88Z.007F.B03.1010071432
  dmi.board.asset.tag: 0
  dmi.board.name: Mac-F221BEC8
  dmi.board.vendor: Apple Inc.
  dmi.chassis.type: 7
  dmi.chassis.vendor: Apple Inc.
  dmi.chassis.version: Mac-F221BEC8
  dmi.modalias: dmi:bvnAppleInc.:bvrMP51.88Z.007F.B03.1010071432:bd10/07/10:svnAppleInc.:pnMacPro5,1:pvr0.0:rvnAppleInc.:rnMac-F221BEC8:rvr:cvnAppleInc.:ct7:cvrMac-F221BEC8:
  dmi.product.name: MacPro5,1
  dmi.product.version: 0.0
  dmi.sys.vendor: Apple Inc.
  modified.conffile..etc.default.cups:
   # Cups configure options
   
   # LOAD_LP_MODULE: enable/disable to load "lp" parallel printer driver module
   # LOAD_LP_MODULE has migrated to /etc/modules-load.d/cups-filters.conf
   # LOAD_LP_MODULE=yes
  mtime.conffile..etc.default.cups: 2014-07-23T01:20:18

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1371097/+subscriptions

References

[Bug 1371097] [NEW] cupsd is not allowed to access /var/cache/samba/gencache.tdb by apparmor
From: Theodotos Andreou, 2014-09-18