[Touch-packages] [Bug 2028459] Re: cups apparmor: read access to /etc/gnutls/config

Sun, 25 Feb 2024 04:41:19 -0800 

For what it's worth, this is still happening with noble.

Since the shipped /etc/apparmor.d/usr.sbin.cups-browsed fortunately
specifies "#include <local/usr.sbin.cups-browsed>", this can be worked
around without causing further headaches by adding the following to
/etc/apparmor.d/local/usr.sbin.cups-browsed (create that file if for
some reason it doesn't exist):

    /etc/gnutls/config r,

and reloading the profiles via

    systemctl reload apparmor

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/2028459

Title:
  cups apparmor: read access to /etc/gnutls/config

Status in cups package in Ubuntu:
  Confirmed

Bug description:
  The gnutls library has an optional configuration file in
  /etc/gnutls/config. This file is not shipped by the Ubuntu packaging,
  but it can be created by an user wanting to configure certain aspects
  of gnutls.

  When the file exists, gnutls functions might trigger an access to it,
  and this is happening with cups in my system:

  jul 23 14:44:35 nsnx2 kernel: audit: type=1400
  audit(1690134275.356:574): apparmor="DENIED" operation="open"
  class="file" profile="/usr/sbin/cupsd" name="/etc/gnutls/config"
  pid=11222 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0
  ouid=0

  jul 23 14:44:35 nsnx2 kernel: audit: type=1400
  audit(1690134275.376:576): apparmor="DENIED" operation="open"
  class="file" profile="/usr/sbin/cups-browsed"
  name="/etc/gnutls/config" pid=11224 comm="cups-browsed"
  requested_mask="r" denied_mask="r" fsuid=121 ouid=0

  $ l /etc/gnutls/config
  -rw-r--r-- 1 root root 38 jun 15 18:44 /etc/gnutls/config

  $ apt-cache policy cups
  cups:
    Installed: 2.4.2-3ubuntu2.2
    Candidate: 2.4.2-3ubuntu2.2
    Version table:
       2.4.2-3ubuntu2.3 100
          100 http://br.archive.ubuntu.com/ubuntu lunar-proposed/main amd64 
Packages
   *** 2.4.2-3ubuntu2.2 500
          500 http://br.archive.ubuntu.com/ubuntu lunar-updates/main amd64 
Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/2028459/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to