apparmor profile error messages

I'Ve attached a patch that fixes the profile.

I fixed the access to /etc/papersize yesterday. cupsd should not get dac_override and dac_read_search, those are too powerful.

Neither there is a reason for cupsd to write to /dev/tty*. I'd rather track down the reason why it tries that in the first place and change the code to not do it.

I committed 'm' access to passwd and group to bzr head. Quite strange, but it doesn't hurt.

Unsubscribing Ubuntu Sponsors for main from this bug for now.

Martin: I am not seeing any more cups audit messages, but on the other hand some of the "too powerful" capabilities seems to have been given to cups now. If I can help debug this further to produce a better solution please let me know.

Martin's comment about /dev/tty and cupsd seems related to an issue I've recently experienced and attached a report to bug #147800 "...bluetooth printing was working but is not..."

Disabling appamor provided a work-around in that case but I'd like to sort the issue out with appamor or cupsd.

Under 7.10, when apparmor is in enforce mode, a HP 920 cxi printer can not be used. I assume it's the same problem, as this printer needs the pnm2ppa tool to work (it's a GDI - printer). When apparmor is disabled everything works as expected.

Hi. Since upgrade from fiesty to gutsy, I've been getting apparmor messages when I print. My printer is connected to an XP box, so I'm using samba.

Dec 15 17:20:51 gandalf kernel: [26194.092000] audit(1197757250.417:11): type=1503 operation="file_mmap" requested_mask="mr" denied_mask="m" name="/usr/share/samba/lowcase.dat" pid=7208 profile="/usr/sbin/cupsd"
Dec 15 17:20:51 gandalf kernel: [26194.160000] audit(1197757250.417:12): type=1503 operation="file_mmap" requested_mask="mr" denied_mask="m" name="/usr/share/samba/valid.dat" pid=7208 profile="/usr/sbin/cupsd"

After reading up on apparmor, and reviewing /etc/apparmor.d/usr.sbin.cupsd, and noticing that there is a samba profile in the /etc/apparmor.d/abstractions directory, I tried adding the following line to /etc/apparmor.d/usr.sbin.cupsd, and it no longer generates messages when printing. I added it to the end of the #include section.

#include <abstractions/samba>

My thought is that it may be good to add samba to the apparmor cups profile on a go-forward basis to keep syslog noise down.

Hope that this is of some help.

Robert Di Gioia, this problem with Samba and AppArmor is fixed in both Hardy and gutsy-updates. DFid you update to at least to current gutsy-updates? If not, please do so.

Please report whether you problem gets fixed by the updates.

If not, post the output of

dpkg -p cupsys

Robert,

can you please confirm that the current cupsys package in gutsy-updates (version 1.3.2-1ubuntu7.5) fixes the samba issue?

Robert Di Gioia, I am closing this bug as it should be fixed. If you have still problems, please do the updates and answer my questions of my previous posting and reopen the bug. Thanks.

Hi Till

Thanks for working on this, and sorry for the slow response, its been a busy week.

My system is up to date, with the updated version of cupsys installed (see below for output of dpkg-query -W), but my /etc/apparmor.d/usr.sbin.cupsd has not been updated since January. However, since I reported it in December, maybe it has been that long since it was fixed...either way, my system is working well.

Thanks again!

-rw-r--r-- 1 root root 3379 2008-01-16 21:48 usr.sbin.cupsd

robert@gandalf:/etc/apparmor.d> dpkg-query -W cupsys
cupsys 1.3.2-1ubuntu7.5

I noticed that Mathias' patch contained the following entry:

/etc/password m,

Is this a typo?

Indeed it is, it should be /etc/passwd. However, I fixed that when I applied the patch to the package.