apparmor cups samba problem no printing

pitti, can you have a look what is missing here in the AppArmor profile? Thanks.

The bits about gendache.tdb are covered by bug 1371097. I don't know what the denied_mask="send" signal=term bits are about, I suggest asking the apparmor developers (jdstrand and tyhicks).

Since 14.04, apparmor has signal mediation. Cups is trying to kill some processes. To obtain 13.10 behavior, you could add this to usr.sbin.cupsd:
  signal,

However, this would obviously allow cups to send signals to anything. I'm guessing it is sending signals to third party backends. It would probably be best to change this rule:
  /usr/lib/cups/backend/* Ux,

to something like (untested):
  /usr/lib/cups/backend/* Cx -> cups_backends,
  signal (send) peer=cups_backends,
  profile cups_backends {
    file,
    capability,
    network,
    audit deny capability mac_admin,
    dbus,
    signal,
    ptrace,
    unix,
  }

In addition to fixing the above, this adds a modest improvement over what we have now: backends aren't allowed to change MAC policy, can't change_profile and can't use mount.

Actually, I see more Ux rules. Try this instead (also untested):
  /usr/bin/hpijs Cx -> third_party,
  /usr/Brother/** Cx -> third_party,
  /usr/lib/cups/backend/* Cx -> third_party,
  /usr/lib/cups/filter/** Cxr -> third_party,
  /usr/lib/cups/driver/* Cxr -> third_party,
  signal (send) peer=third_party,
  profile third_party {
    file,
    capability,
    network,
    audit deny capability mac_admin,
    dbus,
    signal,
    ptrace,
    unix,
  }

Status changed to 'Confirmed' because the bug affects multiple users.

I'm preparing an update for this now that implements the above. Note, I do not have a third party printer so it is possible more fine tuning will need to be done. Also note, the 'unix' rule will not work on Debian-- it will need to be conditionally applied to Ubuntu until the unix mediation is upstreamed and included in Debian.

Sorry, I meant the 'signal' rule instead of 'unix'.

Sigh, that's what I get for typing too fast. Debian does not support dbus, signal, ptrace or unix rules -- all of these should be excluded in Debian and included in Ubuntu.

This bug was fixed in the package cups - 1.7.5-2ubuntu1

---------------
cups (1.7.5-2ubuntu1) utopic; urgency=medium

  * debian/local/apparmor-profile:
    - move Ux to Cx -> third_party and provie a third_party child profile. In
      this manner, we can add some modest confinement (can't change MAC
      policy, change_profile or mount) but more importantly it allows us to
      specify peer=third_party to restrict where the strictly confined cups
      process can send signals (LP: #1370930)
    - allow r of /var/cache/samba/*.tdb (LP: #1371097)
    - allow r of /var/{cache,lib}/samba/printing/printers.tdb
 -- Jamie Strandboge <email address hidden> Wed, 24 Sep 2014 11:24:03 -0500

And what about for those who use 14.04.2 LTS?

Any news on this?

Probably triggered by some recent package update,
Ubuntu 14.04.3 LTS 3.13.0-61-generic #100-Ubuntu SMP Wed Jul 29 11:21:34 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
reports in /var/log/kern.log:

type=1400 audit(1439324668.029:103): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/var/cache/samba/gencache.tdb" pid=1019 comm="smb" requested_mask="r" denied_mask="r" fsuid=7 ouid=0

The above message can be prevented by this addition to /etc/apparmor.d/usr.sbin.cupsd from bug 1371097 after the following comment:

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.cupsd>

  /var/cache/samba/*.tdb r,

However, another error follows, also repeatedly:

type=1400 audit(1439325510.504:68): apparmor="DENIED" operation="signal" profile="/usr/sbin/cupsd" pid=952 comm="cupsd" requested_mask="send" denied_mask="send" signal=term peer="unconfined"

For this one, suggestions not directly applicable to LTS seem to be made in bug 1370930 with a fix for other versions.
How can this best be applied to also fix Ubuntu 14.04.3 ?