Control: severity -1 important Control: tag -1 + moreinfo Control: user pkg-apparmor-t...@lists.alioth.debian.org Control: usertags + buggy-profile
Hi, > I installed lxc on a freshly installed debian 10 (standard iso + the tasks: > desktop, kde, print-server, laptop). First, I'd like to ensure I understand correctly, since you're mentioning LXC: how is this related to LXC? Are the problems quoted below happening inside a LXC container? > - The printer was not autodiscovered in the "Print" window of any program, > and in the "Add printer" window of system-config-printer-settings. > - Even after setting the device URI, print jobs did not make it to the printer > and there were no info about toner levels, printer availability, etc. > > I did not touch apparmor, but aa-status said it was enforcing on a lot > of programs, including /usr/sbin/{cupsd,cups-browsed}, so I ran > > aa-complain /usr/sbin/cupsd > aa-complain /usr/sbin/cups-browsed Note that aa-complain does not *fully* disable AppArmor profiles: As its manpage says, 'deny' rules will be enforced even in complain mode. > Now, the printer was autodiscovered, So I guess the /usr/sbin/cups-browsed profile was blocking auto-discovery. To debug this further, we'll need more information, starting with the output of this command: journalctl -kaf --no-hostname | grep -w 'apparmor="DENIED"' > but printing still did not work, so I did > apt-get autopurge apparmor > > Now printing works fine, I have toner level info, etc. So I guess the /usr/sbin/cupsd profile was blocking printing. To debug this, we'll need the same debugging info I requested above. Once you've provided the debugging info, I'll reassign this bug to the package(s) that ship the buggy AppArmor profiles: most likely, respectively cups-browsed and/or cups-daemon. In the meantime I'm downgrading severity to important, because: - This problem does not make the apparmor package itself unusable. - If the problem affected many printers, I would hope we would have learnt about it earlier. Thank you for reporting this bug to Debian, cheers!