Bug#940578: fixed in cups 2.3.0-6
Hello Intrigeri,
no, this is not included in /etc/apparmor.d/usr.sbin.cupsd.
Regards,
Rudolf Polzer
Am 11.12.19 um 07:50 schrieb intrigeri:
Does your /etc/apparmor.d/usr.sbin.cupsd end with these lines:
# allow read and write on almost anything in @{HOME} (lenient, but
# private-files-strict is in effect), to support customized "Out"
# setting in cups-pdf.conf (Debian#940578)
#include
@{HOME}/[^.]*/{,**/} rw,
@{HOME}/[^.]*/** rw,
}
?
Bug#940578: fixed in cups 2.3.0-6
Hi Rudolf,
Rudolf Polzer:
> audit: type=1400 audit(1574498651.326:33): apparmor="DENIED"
> operation="mknod" profile="/usr/lib/cups/backend/cups-pdf"
> name="/home/rudi/Transport/home_rudi_Transport.pdf" pid=2963 comm="gs"
> requested_mask="c" denied_mask="c" fsuid=1000 ouid=1
You've mentioned earlier that you were running Debian stable,
so perhaps you don't actually have the fix which was uploaded
in cups 2.3.0-6.
Does your /etc/apparmor.d/usr.sbin.cupsd end with these lines:
# allow read and write on almost anything in @{HOME} (lenient, but
# private-files-strict is in effect), to support customized "Out"
# setting in cups-pdf.conf (Debian#940578)
#include
@{HOME}/[^.]*/{,**/} rw,
@{HOME}/[^.]*/** rw,
}
?
Cheers,
--
intrigeri
Bug#940578: fixed in cups 2.3.0-6
Hi Rudolf, Rudolf Polzer: > please make a suggestion how I should now proceed to get pdf printing > running on my stable Debian, because selecting a subdirectory of home > doesn't work - I get the same error message as before. Please share your /etc/cups/cups-pdf.conf and the exact AppArmor denial logs. You might need to first restart CUPS services to see your cups-pdf.conf changes applied. Thanks! Cheers, -- intrigeri
Bug#940578: fixed in cups 2.3.0-6
Hi intrigeri, please make a suggestion how I should now proceed to get pdf printing running on my stable Debian, because selecting a subdirectory of home doesn't work - I get the same error message as before. Regards, Rudolf
Bug#940578: fixed in cups 2.3.0-6
Le jeudi, 21 novembre 2019, 08.46:43 h CET intrigeri a écrit :
> Hi,
>
> Rudolf Polzer:
> > For me it is still not working, because I changed
> > /etc/cups/cups-pdf.conf
> >
> > from
> > Out ${HOME}/Transport
> > to
> > Out ${HOME}
> >
> > and get the error message
> >
> > audit[5146]: AVC apparmor="DENIED" operation="mknod"
> > profile="/usr/lib/cups/backend/cups-pdf" name="/home/rudi/home_rudi.pdf"
> > pid=5146 comm="gs" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
>
> Indeed, the fix only covers sub-directories of $HOME.
> Technically it's easy to also support this use case.
> I'm happy to implement this if the CUPS maintainers
> prefer a more lenient AppArmor confinement of cups-pdf,
> in order to improve UX in this (arguably corner) case.
As CUPS maintainer; the current situation is fine; I find letting cups-pdf
write to $HOME directly to be debatable; and the error makes sense.
Cheers,
OdyX
Bug#940578: fixed in cups 2.3.0-6
Hi,
Rudolf Polzer:
> For me it is still not working, because I changed
> /etc/cups/cups-pdf.conf
> from
> Out ${HOME}/Transport
> to
> Out ${HOME}
> and get the error message
> audit[5146]: AVC apparmor="DENIED" operation="mknod"
> profile="/usr/lib/cups/backend/cups-pdf" name="/home/rudi/home_rudi.pdf"
> pid=5146 comm="gs" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Indeed, the fix only covers sub-directories of $HOME.
Technically it's easy to also support this use case.
I'm happy to implement this if the CUPS maintainers
prefer a more lenient AppArmor confinement of cups-pdf,
in order to improve UX in this (arguably corner) case.
Cheers,
--
intrigeri
Bug#940578: fixed in cups 2.3.0-6
For me it is still not working, because I changed
/etc/cups/cups-pdf.conf
from
Out ${HOME}/Transport
to
Out ${HOME}
and get the error message
audit[5146]: AVC apparmor="DENIED" operation="mknod"
profile="/usr/lib/cups/backend/cups-pdf" name="/home/rudi/home_rudi.pdf"
pid=5146 comm="gs" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
