Bug#940578: fixed in cups 2.3.0-6
Hello Intrigeri, no, this is not included in /etc/apparmor.d/usr.sbin.cupsd. Regards, Rudolf Polzer Am 11.12.19 um 07:50 schrieb intrigeri: Does your /etc/apparmor.d/usr.sbin.cupsd end with these lines: # allow read and write on almost anything in @{HOME} (lenient, but # private-files-strict is in effect), to support customized "Out" # setting in cups-pdf.conf (Debian#940578) #include @{HOME}/[^.]*/{,**/} rw, @{HOME}/[^.]*/** rw, } ?
Bug#940578: fixed in cups 2.3.0-6
Hi Rudolf, Rudolf Polzer: > audit: type=1400 audit(1574498651.326:33): apparmor="DENIED" > operation="mknod" profile="/usr/lib/cups/backend/cups-pdf" > name="/home/rudi/Transport/home_rudi_Transport.pdf" pid=2963 comm="gs" > requested_mask="c" denied_mask="c" fsuid=1000 ouid=1 You've mentioned earlier that you were running Debian stable, so perhaps you don't actually have the fix which was uploaded in cups 2.3.0-6. Does your /etc/apparmor.d/usr.sbin.cupsd end with these lines: # allow read and write on almost anything in @{HOME} (lenient, but # private-files-strict is in effect), to support customized "Out" # setting in cups-pdf.conf (Debian#940578) #include @{HOME}/[^.]*/{,**/} rw, @{HOME}/[^.]*/** rw, } ? Cheers, -- intrigeri
Bug#940578: fixed in cups 2.3.0-6
Hi Rudolf, Rudolf Polzer: > please make a suggestion how I should now proceed to get pdf printing > running on my stable Debian, because selecting a subdirectory of home > doesn't work - I get the same error message as before. Please share your /etc/cups/cups-pdf.conf and the exact AppArmor denial logs. You might need to first restart CUPS services to see your cups-pdf.conf changes applied. Thanks! Cheers, -- intrigeri
Bug#940578: fixed in cups 2.3.0-6
Hi intrigeri, please make a suggestion how I should now proceed to get pdf printing running on my stable Debian, because selecting a subdirectory of home doesn't work - I get the same error message as before. Regards, Rudolf
Bug#940578: fixed in cups 2.3.0-6
Le jeudi, 21 novembre 2019, 08.46:43 h CET intrigeri a écrit : > Hi, > > Rudolf Polzer: > > For me it is still not working, because I changed > > /etc/cups/cups-pdf.conf > > > > from > > Out ${HOME}/Transport > > to > > Out ${HOME} > > > > and get the error message > > > > audit[5146]: AVC apparmor="DENIED" operation="mknod" > > profile="/usr/lib/cups/backend/cups-pdf" name="/home/rudi/home_rudi.pdf" > > pid=5146 comm="gs" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 > > Indeed, the fix only covers sub-directories of $HOME. > Technically it's easy to also support this use case. > I'm happy to implement this if the CUPS maintainers > prefer a more lenient AppArmor confinement of cups-pdf, > in order to improve UX in this (arguably corner) case. As CUPS maintainer; the current situation is fine; I find letting cups-pdf write to $HOME directly to be debatable; and the error makes sense. Cheers, OdyX
Bug#940578: fixed in cups 2.3.0-6
Hi, Rudolf Polzer: > For me it is still not working, because I changed > /etc/cups/cups-pdf.conf > from > Out ${HOME}/Transport > to > Out ${HOME} > and get the error message > audit[5146]: AVC apparmor="DENIED" operation="mknod" > profile="/usr/lib/cups/backend/cups-pdf" name="/home/rudi/home_rudi.pdf" > pid=5146 comm="gs" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 Indeed, the fix only covers sub-directories of $HOME. Technically it's easy to also support this use case. I'm happy to implement this if the CUPS maintainers prefer a more lenient AppArmor confinement of cups-pdf, in order to improve UX in this (arguably corner) case. Cheers, -- intrigeri
Bug#940578: fixed in cups 2.3.0-6
For me it is still not working, because I changed /etc/cups/cups-pdf.conf from Out ${HOME}/Transport to Out ${HOME} and get the error message audit[5146]: AVC apparmor="DENIED" operation="mknod" profile="/usr/lib/cups/backend/cups-pdf" name="/home/rudi/home_rudi.pdf" pid=5146 comm="gs" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000