Hello, denials for capabilty net_admin are often a sign that a service uses systemd libraries on startup, and these systemd libraries do funny[tm] things. In these cases the net_admin capability is not really needed.
See https://bugzilla.opensuse.org/show_bug.cgi?id=1196850#c3 for the technical details. (Yes, I'm aware that this bugreport is for Samba, not cups - but I'm somewhat sure that cups uses the same systemd libraries on startup.) I have to admit that I'm only a cups user, but I'd be surprised if it really needs capability net_admin. To find out if it's really needed or just "systemd noise", can you please explicitely deny net_admin and test if printing still works? To do this, add deny capability net_admin, to /etc/apparmor.d/local/usr.sbin.cupsd This will a) deny it and b) silence the logging. Then reload the profile with systemctl reload apparmor I'd also recommend to aa-enforce cupsd (in theory deny rules get enforced even in complain mode, but better safe than sorry) If printing doesn't work with the deny rule added, please try if it works if you allow the capability: capability net_admin, (and remove the deny rule). Note, since this bug includes two different AppArmor denials: capability sys_nice, for cups-browsed is unrelated to what I wrote above. Please don't change your cups-browsed profile (= keep it in complain mode) while testing the deny rule in the cupsd profile. Regards, Christian Boltz -- > check up on dusted up coolers / vents etc. That is the first thing that I did, but I can't imagine that the amount of dust is automatically changing with the kernel ? [> David Haller and Raymond Wooninck in opensuse-factory]