← Back to team overview

touch-packages team mailing list archive

[Bug 1370930] Re: apparmor cups samba problem no printing

 

Since 14.04, apparmor has signal mediation. Cups is trying to kill some processes. To obtain 13.10 behavior, you could add this to usr.sbin.cupsd:
  signal,

However, this would obviously allow cups to send signals to anything. I'm guessing it is sending signals to third party backends. It would probably be best to change this rule:
  /usr/lib/cups/backend/* Ux,

to something like (untested):
  /usr/lib/cups/backend/* Cx -> cups_backends,
  signal (send) peer=cups_backends,
  profile cups_backends {
    file,
    capability,
    network,
    audit deny capability mac_admin,
    dbus,
    signal,
    ptrace,
    unix,
  }

In addition to fixing the above, this adds a modest improvement over
what we have now: backends aren't allowed to change MAC policy, can't
change_profile and can't use mount.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1370930

Title:
  apparmor cups samba problem no printing

Status in “cups” package in Ubuntu:
  New

Bug description:
  I configured a usb brother printer correctly (working) on ubuntu 14.04.1.
  Then I installed a samba server to share this printer on a windows network
  The samba printing from windows machines works correctly. The usb direct cups printing inform printing OK, jobs completed, but nothing prints. On syslog I see this apparmor DENIED messages:
  Sep 18 08:51:57 gabi-K55A kernel: [  844.181601] type=1400 audit(1411023117.729:74): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd
  " name="/var/cache/samba/gencache.tdb" pid=3353 comm="smb" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  Sep 18 08:51:57 gabi-K55A kernel: [  844.181649] type=1400 audit(1411023117.729:75): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd
  " name="/var/cache/samba/gencache.tdb" pid=3353 comm="smb" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  Sep 18 08:51:57 gabi-K55A kernel: [  844.182286] type=1400 audit(1411023117.729:76): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd
  " name="/var/cache/samba/gencache.tdb" pid=3353 comm="smb" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394145] type=1400 audit(1411023244.943:77): apparmor="DENIED" operation="signal" profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" signal=term peer="unconfined"
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394155] type=1400 audit(1411023244.943:78): apparmor="DENIED" operation="signal" profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" signal=term peer="unconfined"
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394161] type=1400 audit(1411023244.943:79): apparmor="DENIED" operation="signal" profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" signal=term peer="unconfined"
  Sep 18 08:54:04 gabi-K55A kernel: [  971.394166] type=1400 audit(1411023244.943:80): apparmor="DENIED" operation="signal" profile="/usr/sbin/cup
  sd" pid=2034 comm="cupsd" requested_mask="send" denied_mask="send" signal=term peer="unconfined"


  I install with apt-get last apparmor profiles, but I get this messages yet, with the same result (no printing):
  Sep 18 09:15:06 gabi-K55A kernel: [  100.620853] usblp0: removed
  Sep 18 09:15:06 gabi-K55A kernel: [  100.878155] usblp 1-4:1.0: usblp0: USB Bidirectional printer dev 3 if 0 alt 0 proto 2 vid 0x04F9 pid 0x0037
  Sep 18 09:16:39 gabi-K55A kernel: [  193.894732] type=1400 audit(1411024599.437:117): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/var/cache/samba/gencache.tdb" pid=2384 comm="smb" requested_mask="r" denied_mask="r" fsuid=7 ouid=0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1370930/+subscriptions


References