[Desktop-packages] [Bug 1698693] Re: cups-pdf blocked by apparmor
[Expired for cups (Ubuntu) because there has been no activity for 60 days.] ** Changed in: cups (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1698693 Title: cups-pdf blocked by apparmor Status in cups package in Ubuntu: Expired Bug description: cups-pdf cannot create the ~/PDF directory if it does not exist and fails with no indication to the user. It should however be pointed out that cups-pdf allows the system administrator to change it's output directory by changing the Out key in /etc/cups/cups-pdf.conf. As such apparmor will get in the way again if the admin changes the Out key to some other location outside of the ${HOME}/PDF directory. (It's default setting.) cups-pdf also does not have an #include for using local overrides in it's apparmor config. As such any fixes that the local admin makes will be overwritten by the next update to the cups package, breaking it again. Description: Ubuntu 16.04.2 LTS Release: 16.04 printer-driver-cups-pdf: Installed: 2.6.1-21 Candidate: 2.6.1-21 Version table: *** 2.6.1-21 500 500 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages 100 /var/lib/dpkg/status cups: Installed: 2.1.3-4 Candidate: 2.1.3-4 Version table: *** 2.1.3-4 500 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status What happened: cups-pdf when installed for the first time fails with the following apparmor denials: [ 6117.686934] audit: type=1400 audit(1497816878.998:1079): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/cups/backend/cups-pdf" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/cupsd" [ 6117.686948] audit: type=1400 audit(1497816878.998:1080): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/cupsd" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/cups/backend/cups-pdf" [ 6117.688671] audit: type=1400 audit(1497816879.002:1081): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.688688] audit: type=1400 audit(1497816879.002:1082): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.689719] audit: type=1400 audit(1497816879.002:1083): apparmor="DENIED" operation="mkdir" profile="/usr/lib/cups/backend/cups-pdf" name="/home/CODENET.LOCAL/codebase/PDF/" pid=6015 comm="cups-pdf" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 What I expected to happen: cups-pdf creates the pdf file it was supposed to. As a workaround, I set cups-pdf to use the third-party settings from the cups profile, then it worked as expected. --- ProblemType: Bug ApportVersion: 2.20.9-0ubuntu7.2 Architecture: amd64 CupsErrorLog: Error: [Errno 13] Permission denied: '/var/log/cups/error_log' CurrentDesktop: MATE DistroRelease: Ubuntu 18.04 InstallationDate: Installed on 2017-11-24 (281 days ago) InstallationMedia: Ubuntu-MATE 17.10 "Artful Aardvark" - Release amd64 (20171018) Lpstat: device for EPSONET-4550: ipp://call.codenet.local:631/printers/EPSON_ET-4550_Series device for PDF: cups-pdf:/ MachineType: Gigabyte Technology Co., Ltd. A320M-S2H NonfreeKernelModules: nvidia_modeset nvidia Package: cups 2.2.7-1ubuntu2.1 PackageArchitecture: amd64 Papersize: letter PpdFiles: Error: command ['fgrep', '-H', '*NickName', '/etc/cups/ppd/PDF.ppd'] failed with exit code 2: grep: /etc/cups/ppd/PDF.ppd: Permission denied ProcCmdline: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 ro video=vesafb:off vga=normal quiet splash ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 ro video=vesafb:off vga=normal quiet splash ProcVersionSignature: Ubuntu 4.15.0-33.36-generic 4.15.18 Tags: bionic apparmor apparmor apparmor apparmor Uname: Linux 4.15.0-33-generic x86_64 UpgradeStatus: Upgraded to bionic on 2018-05-20 (104 days ago) UserGroups: _MarkForUpload: True dmi.bios.date: 02/08/2018 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F21 dmi.board.asset.tag: Default string dmi.board.name: A320M-S2H-CF dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: Default string dmi.chassis.type: 3 dmi.chassis.vendo
[Desktop-packages] [Bug 1698693] Re: cups-pdf blocked by apparmor
Ooops. Ignore the previous post. Those were the wrong instructions. These are the correct ones: 1. Install fresh copy of Ubuntu. 2. Install printer-driver-cups-pdf. 3. Change cups-pdf's output directory in /etc/cups/cups-pdf.conf to some directory outside of the user's home directory, and that the user has write access to that directory's parent. 4. Make sure the directory defined in step 3 does not exist. 5. Attempt to print using CUPS PDF. 6. Notice the DENIED error in dmesg, and the directory defined in step 3 still does not exist. 6. Notice that cups-pdf lacks an apparmor profile of it's own and is stored alongside the cupsd profile in /etc/apparmor.d 7. Notice that unlike cupsd, cups-pdf's profile does not have an include statement for local profile modifications in /etc/apparmor.d/local 8. Attempt to change the default profile for cups-pdf anyway, reload the new default profile, and try to print again. 9. Find your pdf in the directory defined in step 3. 10. Wait until the cups package is updated again. (Accept the maintainer version of /etc/apparmor.d/usr.sbin.cupsd when asked.) 11. Notice your changes to the default profile have been wiped out by the update, and you can no longer print using CUPS PDF if the directory defined in step 3 is moved or deleted. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1698693 Title: cups-pdf blocked by apparmor Status in cups package in Ubuntu: Incomplete Bug description: cups-pdf cannot create the ~/PDF directory if it does not exist and fails with no indication to the user. It should however be pointed out that cups-pdf allows the system administrator to change it's output directory by changing the Out key in /etc/cups/cups-pdf.conf. As such apparmor will get in the way again if the admin changes the Out key to some other location outside of the ${HOME}/PDF directory. (It's default setting.) cups-pdf also does not have an #include for using local overrides in it's apparmor config. As such any fixes that the local admin makes will be overwritten by the next update to the cups package, breaking it again. Description: Ubuntu 16.04.2 LTS Release: 16.04 printer-driver-cups-pdf: Installed: 2.6.1-21 Candidate: 2.6.1-21 Version table: *** 2.6.1-21 500 500 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages 100 /var/lib/dpkg/status cups: Installed: 2.1.3-4 Candidate: 2.1.3-4 Version table: *** 2.1.3-4 500 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status What happened: cups-pdf when installed for the first time fails with the following apparmor denials: [ 6117.686934] audit: type=1400 audit(1497816878.998:1079): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/cups/backend/cups-pdf" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/cupsd" [ 6117.686948] audit: type=1400 audit(1497816878.998:1080): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/cupsd" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/cups/backend/cups-pdf" [ 6117.688671] audit: type=1400 audit(1497816879.002:1081): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.688688] audit: type=1400 audit(1497816879.002:1082): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.689719] audit: type=1400 audit(1497816879.002:1083): apparmor="DENIED" operation="mkdir" profile="/usr/lib/cups/backend/cups-pdf" name="/home/CODENET.LOCAL/codebase/PDF/" pid=6015 comm="cups-pdf" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 What I expected to happen: cups-pdf creates the pdf file it was supposed to. As a workaround, I set cups-pdf to use the third-party settings from the cups profile, then it worked as expected. --- ProblemType: Bug ApportVersion: 2.20.9-0ubuntu7.2 Architecture: amd64 CupsErrorLog: Error: [Errno 13] Permission denied: '/var/log/cups/error_log' CurrentDesktop: MATE DistroRelease: Ubuntu 18.04 InstallationDate: Installed on 2017-11-24 (281 days ago) InstallationMedia: Ubuntu-MATE 17.10 "Artful Aardvark" - Release amd64 (20171018) Lpstat: device for EPSONET-4550: ipp://call.codenet.local:631/printers/EPSON_ET-4550_Series device for PDF: cups-pdf:/ MachineType: Gigabyte Technology Co., Ltd. A320M-S2H N
[Desktop-packages] [Bug 1698693] Re: cups-pdf blocked by apparmor
1. Install fresh copy of Ubuntu. 2. Make sure ~/PDF does not exist. 3. Install printer-driver-cups-pdf. 4. Attempt to print using CUPS PDF. 5. Notice the DENIED error in dmesg, and the lack of a ~/PDF directory. 6. Notice that cups-pdf lacks an apparmor profile of it's own and is stored alongside the cupsd profile in /etc/apparmor.d 7. Notice that unlike cupsd, cups-pdf's profile does not have an include statement for local profile modifications in /etc/apparmor.d/local 8. Attempt to change the default profile for cups-pdf anyway, reload the new default profile, and try to print again. 9. Find your pdf in ~/PDF. 10. Wait until the cups package is updated again. (Accept the maintainer version of /etc/apparmor.d/usr.sbin.cupsd when asked.) 11. Notice your changes to the default profile have been wiped out by the update, and you can no longer print using CUPS PDF if ~/PDF is moved / or deleted. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1698693 Title: cups-pdf blocked by apparmor Status in cups package in Ubuntu: Incomplete Bug description: cups-pdf cannot create the ~/PDF directory if it does not exist and fails with no indication to the user. It should however be pointed out that cups-pdf allows the system administrator to change it's output directory by changing the Out key in /etc/cups/cups-pdf.conf. As such apparmor will get in the way again if the admin changes the Out key to some other location outside of the ${HOME}/PDF directory. (It's default setting.) cups-pdf also does not have an #include for using local overrides in it's apparmor config. As such any fixes that the local admin makes will be overwritten by the next update to the cups package, breaking it again. Description: Ubuntu 16.04.2 LTS Release: 16.04 printer-driver-cups-pdf: Installed: 2.6.1-21 Candidate: 2.6.1-21 Version table: *** 2.6.1-21 500 500 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages 100 /var/lib/dpkg/status cups: Installed: 2.1.3-4 Candidate: 2.1.3-4 Version table: *** 2.1.3-4 500 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status What happened: cups-pdf when installed for the first time fails with the following apparmor denials: [ 6117.686934] audit: type=1400 audit(1497816878.998:1079): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/cups/backend/cups-pdf" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/cupsd" [ 6117.686948] audit: type=1400 audit(1497816878.998:1080): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/cupsd" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/cups/backend/cups-pdf" [ 6117.688671] audit: type=1400 audit(1497816879.002:1081): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.688688] audit: type=1400 audit(1497816879.002:1082): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.689719] audit: type=1400 audit(1497816879.002:1083): apparmor="DENIED" operation="mkdir" profile="/usr/lib/cups/backend/cups-pdf" name="/home/CODENET.LOCAL/codebase/PDF/" pid=6015 comm="cups-pdf" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 What I expected to happen: cups-pdf creates the pdf file it was supposed to. As a workaround, I set cups-pdf to use the third-party settings from the cups profile, then it worked as expected. --- ProblemType: Bug ApportVersion: 2.20.9-0ubuntu7.2 Architecture: amd64 CupsErrorLog: Error: [Errno 13] Permission denied: '/var/log/cups/error_log' CurrentDesktop: MATE DistroRelease: Ubuntu 18.04 InstallationDate: Installed on 2017-11-24 (281 days ago) InstallationMedia: Ubuntu-MATE 17.10 "Artful Aardvark" - Release amd64 (20171018) Lpstat: device for EPSONET-4550: ipp://call.codenet.local:631/printers/EPSON_ET-4550_Series device for PDF: cups-pdf:/ MachineType: Gigabyte Technology Co., Ltd. A320M-S2H NonfreeKernelModules: nvidia_modeset nvidia Package: cups 2.2.7-1ubuntu2.1 PackageArchitecture: amd64 Papersize: letter PpdFiles: Error: command ['fgrep', '-H', '*NickName', '/etc/cups/ppd/PDF.ppd'] failed with exit code 2: grep: /etc/cups/ppd/PDF.ppd: Permission denied ProcCmdline: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 r
[Desktop-packages] [Bug 1698693] Re: cups-pdf blocked by apparmor
Hi Patrick, I just want to clarify the issue for the programmers. Could you post the exact steps to reproduce? For example, 1. Open terminal. 2. type "synaptic... 3 Thanks G -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1698693 Title: cups-pdf blocked by apparmor Status in cups package in Ubuntu: Incomplete Bug description: cups-pdf cannot create the ~/PDF directory if it does not exist and fails with no indication to the user. It should however be pointed out that cups-pdf allows the system administrator to change it's output directory by changing the Out key in /etc/cups/cups-pdf.conf. As such apparmor will get in the way again if the admin changes the Out key to some other location outside of the ${HOME}/PDF directory. (It's default setting.) cups-pdf also does not have an #include for using local overrides in it's apparmor config. As such any fixes that the local admin makes will be overwritten by the next update to the cups package, breaking it again. Description: Ubuntu 16.04.2 LTS Release: 16.04 printer-driver-cups-pdf: Installed: 2.6.1-21 Candidate: 2.6.1-21 Version table: *** 2.6.1-21 500 500 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages 100 /var/lib/dpkg/status cups: Installed: 2.1.3-4 Candidate: 2.1.3-4 Version table: *** 2.1.3-4 500 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status What happened: cups-pdf when installed for the first time fails with the following apparmor denials: [ 6117.686934] audit: type=1400 audit(1497816878.998:1079): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/cups/backend/cups-pdf" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/cupsd" [ 6117.686948] audit: type=1400 audit(1497816878.998:1080): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/cupsd" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/cups/backend/cups-pdf" [ 6117.688671] audit: type=1400 audit(1497816879.002:1081): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.688688] audit: type=1400 audit(1497816879.002:1082): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.689719] audit: type=1400 audit(1497816879.002:1083): apparmor="DENIED" operation="mkdir" profile="/usr/lib/cups/backend/cups-pdf" name="/home/CODENET.LOCAL/codebase/PDF/" pid=6015 comm="cups-pdf" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 What I expected to happen: cups-pdf creates the pdf file it was supposed to. As a workaround, I set cups-pdf to use the third-party settings from the cups profile, then it worked as expected. --- ProblemType: Bug ApportVersion: 2.20.9-0ubuntu7.2 Architecture: amd64 CupsErrorLog: Error: [Errno 13] Permission denied: '/var/log/cups/error_log' CurrentDesktop: MATE DistroRelease: Ubuntu 18.04 InstallationDate: Installed on 2017-11-24 (281 days ago) InstallationMedia: Ubuntu-MATE 17.10 "Artful Aardvark" - Release amd64 (20171018) Lpstat: device for EPSONET-4550: ipp://call.codenet.local:631/printers/EPSON_ET-4550_Series device for PDF: cups-pdf:/ MachineType: Gigabyte Technology Co., Ltd. A320M-S2H NonfreeKernelModules: nvidia_modeset nvidia Package: cups 2.2.7-1ubuntu2.1 PackageArchitecture: amd64 Papersize: letter PpdFiles: Error: command ['fgrep', '-H', '*NickName', '/etc/cups/ppd/PDF.ppd'] failed with exit code 2: grep: /etc/cups/ppd/PDF.ppd: Permission denied ProcCmdline: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 ro video=vesafb:off vga=normal quiet splash ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 ro video=vesafb:off vga=normal quiet splash ProcVersionSignature: Ubuntu 4.15.0-33.36-generic 4.15.18 Tags: bionic apparmor apparmor apparmor apparmor Uname: Linux 4.15.0-33-generic x86_64 UpgradeStatus: Upgraded to bionic on 2018-05-20 (104 days ago) UserGroups: _MarkForUpload: True dmi.bios.date: 02/08/2018 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F21 dmi.board.asset.tag: Default string dmi.board.name: A320M-S2H-CF dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: Default string d
[Desktop-packages] [Bug 1698693] Re: cups-pdf blocked by apparmor
Hi Patrick, there is no other package with which to associate this bug report. And I will look at preparing this report for the programmers. :) G -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1698693 Title: cups-pdf blocked by apparmor Status in cups package in Ubuntu: Incomplete Bug description: cups-pdf cannot create the ~/PDF directory if it does not exist and fails with no indication to the user. It should however be pointed out that cups-pdf allows the system administrator to change it's output directory by changing the Out key in /etc/cups/cups-pdf.conf. As such apparmor will get in the way again if the admin changes the Out key to some other location outside of the ${HOME}/PDF directory. (It's default setting.) cups-pdf also does not have an #include for using local overrides in it's apparmor config. As such any fixes that the local admin makes will be overwritten by the next update to the cups package, breaking it again. Description: Ubuntu 16.04.2 LTS Release: 16.04 printer-driver-cups-pdf: Installed: 2.6.1-21 Candidate: 2.6.1-21 Version table: *** 2.6.1-21 500 500 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages 100 /var/lib/dpkg/status cups: Installed: 2.1.3-4 Candidate: 2.1.3-4 Version table: *** 2.1.3-4 500 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status What happened: cups-pdf when installed for the first time fails with the following apparmor denials: [ 6117.686934] audit: type=1400 audit(1497816878.998:1079): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/cups/backend/cups-pdf" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/cupsd" [ 6117.686948] audit: type=1400 audit(1497816878.998:1080): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/cupsd" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/cups/backend/cups-pdf" [ 6117.688671] audit: type=1400 audit(1497816879.002:1081): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.688688] audit: type=1400 audit(1497816879.002:1082): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.689719] audit: type=1400 audit(1497816879.002:1083): apparmor="DENIED" operation="mkdir" profile="/usr/lib/cups/backend/cups-pdf" name="/home/CODENET.LOCAL/codebase/PDF/" pid=6015 comm="cups-pdf" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 What I expected to happen: cups-pdf creates the pdf file it was supposed to. As a workaround, I set cups-pdf to use the third-party settings from the cups profile, then it worked as expected. --- ProblemType: Bug ApportVersion: 2.20.9-0ubuntu7.2 Architecture: amd64 CupsErrorLog: Error: [Errno 13] Permission denied: '/var/log/cups/error_log' CurrentDesktop: MATE DistroRelease: Ubuntu 18.04 InstallationDate: Installed on 2017-11-24 (281 days ago) InstallationMedia: Ubuntu-MATE 17.10 "Artful Aardvark" - Release amd64 (20171018) Lpstat: device for EPSONET-4550: ipp://call.codenet.local:631/printers/EPSON_ET-4550_Series device for PDF: cups-pdf:/ MachineType: Gigabyte Technology Co., Ltd. A320M-S2H NonfreeKernelModules: nvidia_modeset nvidia Package: cups 2.2.7-1ubuntu2.1 PackageArchitecture: amd64 Papersize: letter PpdFiles: Error: command ['fgrep', '-H', '*NickName', '/etc/cups/ppd/PDF.ppd'] failed with exit code 2: grep: /etc/cups/ppd/PDF.ppd: Permission denied ProcCmdline: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 ro video=vesafb:off vga=normal quiet splash ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 ro video=vesafb:off vga=normal quiet splash ProcVersionSignature: Ubuntu 4.15.0-33.36-generic 4.15.18 Tags: bionic apparmor apparmor apparmor apparmor Uname: Linux 4.15.0-33-generic x86_64 UpgradeStatus: Upgraded to bionic on 2018-05-20 (104 days ago) UserGroups: _MarkForUpload: True dmi.bios.date: 02/08/2018 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F21 dmi.board.asset.tag: Default string dmi.board.name: A320M-S2H-CF dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: Default string dmi.chassis.type: 3 dmi.chassi
[Desktop-packages] [Bug 1698693] Re: cups-pdf blocked by apparmor
Thanks for the additional information and the patch file, Patrick. I will contact the bug control team to see if this bug should be associated with a different Ubuntu package. And I will look at preparing this report for the programmers. Thanks again for your patience. :) G -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1698693 Title: cups-pdf blocked by apparmor Status in cups package in Ubuntu: Incomplete Bug description: cups-pdf cannot create the ~/PDF directory if it does not exist and fails with no indication to the user. It should however be pointed out that cups-pdf allows the system administrator to change it's output directory by changing the Out key in /etc/cups/cups-pdf.conf. As such apparmor will get in the way again if the admin changes the Out key to some other location outside of the ${HOME}/PDF directory. (It's default setting.) cups-pdf also does not have an #include for using local overrides in it's apparmor config. As such any fixes that the local admin makes will be overwritten by the next update to the cups package, breaking it again. Description: Ubuntu 16.04.2 LTS Release: 16.04 printer-driver-cups-pdf: Installed: 2.6.1-21 Candidate: 2.6.1-21 Version table: *** 2.6.1-21 500 500 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages 100 /var/lib/dpkg/status cups: Installed: 2.1.3-4 Candidate: 2.1.3-4 Version table: *** 2.1.3-4 500 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status What happened: cups-pdf when installed for the first time fails with the following apparmor denials: [ 6117.686934] audit: type=1400 audit(1497816878.998:1079): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/cups/backend/cups-pdf" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/cupsd" [ 6117.686948] audit: type=1400 audit(1497816878.998:1080): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/cupsd" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/cups/backend/cups-pdf" [ 6117.688671] audit: type=1400 audit(1497816879.002:1081): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.688688] audit: type=1400 audit(1497816879.002:1082): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.689719] audit: type=1400 audit(1497816879.002:1083): apparmor="DENIED" operation="mkdir" profile="/usr/lib/cups/backend/cups-pdf" name="/home/CODENET.LOCAL/codebase/PDF/" pid=6015 comm="cups-pdf" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 What I expected to happen: cups-pdf creates the pdf file it was supposed to. As a workaround, I set cups-pdf to use the third-party settings from the cups profile, then it worked as expected. --- ProblemType: Bug ApportVersion: 2.20.9-0ubuntu7.2 Architecture: amd64 CupsErrorLog: Error: [Errno 13] Permission denied: '/var/log/cups/error_log' CurrentDesktop: MATE DistroRelease: Ubuntu 18.04 InstallationDate: Installed on 2017-11-24 (281 days ago) InstallationMedia: Ubuntu-MATE 17.10 "Artful Aardvark" - Release amd64 (20171018) Lpstat: device for EPSONET-4550: ipp://call.codenet.local:631/printers/EPSON_ET-4550_Series device for PDF: cups-pdf:/ MachineType: Gigabyte Technology Co., Ltd. A320M-S2H NonfreeKernelModules: nvidia_modeset nvidia Package: cups 2.2.7-1ubuntu2.1 PackageArchitecture: amd64 Papersize: letter PpdFiles: Error: command ['fgrep', '-H', '*NickName', '/etc/cups/ppd/PDF.ppd'] failed with exit code 2: grep: /etc/cups/ppd/PDF.ppd: Permission denied ProcCmdline: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 ro video=vesafb:off vga=normal quiet splash ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 ro video=vesafb:off vga=normal quiet splash ProcVersionSignature: Ubuntu 4.15.0-33.36-generic 4.15.18 Tags: bionic apparmor apparmor apparmor apparmor Uname: Linux 4.15.0-33-generic x86_64 UpgradeStatus: Upgraded to bionic on 2018-05-20 (104 days ago) UserGroups: _MarkForUpload: True dmi.bios.date: 02/08/2018 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F21 dmi.board.asset.tag: Default string dmi.board.name: A320M-S2H-CF dmi.board.vendor:
[Desktop-packages] [Bug 1698693] Re: cups-pdf blocked by apparmor
The attachment "Allows site-specific overrides for the cups-pdf profile." seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1698693 Title: cups-pdf blocked by apparmor Status in cups package in Ubuntu: Incomplete Bug description: cups-pdf cannot create the ~/PDF directory if it does not exist and fails with no indication to the user. It should however be pointed out that cups-pdf allows the system administrator to change it's output directory by changing the Out key in /etc/cups/cups-pdf.conf. As such apparmor will get in the way again if the admin changes the Out key to some other location outside of the ${HOME}/PDF directory. (It's default setting.) cups-pdf also does not have an #include for using local overrides in it's apparmor config. As such any fixes that the local admin makes will be overwritten by the next update to the cups package, breaking it again. Description: Ubuntu 16.04.2 LTS Release: 16.04 printer-driver-cups-pdf: Installed: 2.6.1-21 Candidate: 2.6.1-21 Version table: *** 2.6.1-21 500 500 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages 100 /var/lib/dpkg/status cups: Installed: 2.1.3-4 Candidate: 2.1.3-4 Version table: *** 2.1.3-4 500 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status What happened: cups-pdf when installed for the first time fails with the following apparmor denials: [ 6117.686934] audit: type=1400 audit(1497816878.998:1079): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/cups/backend/cups-pdf" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/cupsd" [ 6117.686948] audit: type=1400 audit(1497816878.998:1080): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/cupsd" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/cups/backend/cups-pdf" [ 6117.688671] audit: type=1400 audit(1497816879.002:1081): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.688688] audit: type=1400 audit(1497816879.002:1082): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.689719] audit: type=1400 audit(1497816879.002:1083): apparmor="DENIED" operation="mkdir" profile="/usr/lib/cups/backend/cups-pdf" name="/home/CODENET.LOCAL/codebase/PDF/" pid=6015 comm="cups-pdf" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 What I expected to happen: cups-pdf creates the pdf file it was supposed to. As a workaround, I set cups-pdf to use the third-party settings from the cups profile, then it worked as expected. --- ProblemType: Bug ApportVersion: 2.20.9-0ubuntu7.2 Architecture: amd64 CupsErrorLog: Error: [Errno 13] Permission denied: '/var/log/cups/error_log' CurrentDesktop: MATE DistroRelease: Ubuntu 18.04 InstallationDate: Installed on 2017-11-24 (281 days ago) InstallationMedia: Ubuntu-MATE 17.10 "Artful Aardvark" - Release amd64 (20171018) Lpstat: device for EPSONET-4550: ipp://call.codenet.local:631/printers/EPSON_ET-4550_Series device for PDF: cups-pdf:/ MachineType: Gigabyte Technology Co., Ltd. A320M-S2H NonfreeKernelModules: nvidia_modeset nvidia Package: cups 2.2.7-1ubuntu2.1 PackageArchitecture: amd64 Papersize: letter PpdFiles: Error: command ['fgrep', '-H', '*NickName', '/etc/cups/ppd/PDF.ppd'] failed with exit code 2: grep: /etc/cups/ppd/PDF.ppd: Permission denied ProcCmdline: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 ro video=vesafb:off vga=normal quiet splash ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 ro video=vesafb:off vga=normal quiet splash ProcVersionSignature: Ubuntu 4.15.0-33.36-generic 4.15.18 Tags: bionic apparmor apparmor apparmor apparmor Uname: Linux 4.15.0-33-generic x86_64 UpgradeStatus: Upgraded to bionic on 2018-05-20 (104 days ago) UserGroups: _MarkForUpload: True dmi.bios.date: 02/08/2018 dmi.bios.vendor: American Megat
[Desktop-packages] [Bug 1698693] Re: cups-pdf blocked by apparmor
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1675503 <- That has nothing to do with this bug. https://bugs.launchpad.net/ubuntu/+source/cups-pdf/+bug/1166786 <- Sort of, that describes the issue and admits the issue's existance, but does not actually fix it. What I mean by that is the apparmor profile for cups-pdf does not allow local modifications by default. Bug #1166786 says you need to make modifications to workaround the issue, but even if you do, your changes will be wiped out when the cups-daemon package gets updated. I attached a patch for the cups-pdf apparmor profile to allow local modifications, but it will get wiped out too unless it gets integrated into the cups-daemon package. Sidenote: Why is the apparmor profile for cups-pdf in cups-daemon? The pdf backend is in a separate package: printer-driver-cups-pdf. ** Patch added: "Allows site-specific overrides for the cups-pdf profile." https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1698693/+attachment/5186550/+files/local_override_cups-pdf.patch -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1698693 Title: cups-pdf blocked by apparmor Status in cups package in Ubuntu: Incomplete Bug description: cups-pdf cannot create the ~/PDF directory if it does not exist and fails with no indication to the user. It should however be pointed out that cups-pdf allows the system administrator to change it's output directory by changing the Out key in /etc/cups/cups-pdf.conf. As such apparmor will get in the way again if the admin changes the Out key to some other location outside of the ${HOME}/PDF directory. (It's default setting.) cups-pdf also does not have an #include for using local overrides in it's apparmor config. As such any fixes that the local admin makes will be overwritten by the next update to the cups package, breaking it again. Description: Ubuntu 16.04.2 LTS Release: 16.04 printer-driver-cups-pdf: Installed: 2.6.1-21 Candidate: 2.6.1-21 Version table: *** 2.6.1-21 500 500 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages 100 /var/lib/dpkg/status cups: Installed: 2.1.3-4 Candidate: 2.1.3-4 Version table: *** 2.1.3-4 500 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status What happened: cups-pdf when installed for the first time fails with the following apparmor denials: [ 6117.686934] audit: type=1400 audit(1497816878.998:1079): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/cups/backend/cups-pdf" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/cupsd" [ 6117.686948] audit: type=1400 audit(1497816878.998:1080): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/cupsd" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/cups/backend/cups-pdf" [ 6117.688671] audit: type=1400 audit(1497816879.002:1081): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.688688] audit: type=1400 audit(1497816879.002:1082): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.689719] audit: type=1400 audit(1497816879.002:1083): apparmor="DENIED" operation="mkdir" profile="/usr/lib/cups/backend/cups-pdf" name="/home/CODENET.LOCAL/codebase/PDF/" pid=6015 comm="cups-pdf" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 What I expected to happen: cups-pdf creates the pdf file it was supposed to. As a workaround, I set cups-pdf to use the third-party settings from the cups profile, then it worked as expected. --- ProblemType: Bug ApportVersion: 2.20.9-0ubuntu7.2 Architecture: amd64 CupsErrorLog: Error: [Errno 13] Permission denied: '/var/log/cups/error_log' CurrentDesktop: MATE DistroRelease: Ubuntu 18.04 InstallationDate: Installed on 2017-11-24 (281 days ago) InstallationMedia: Ubuntu-MATE 17.10 "Artful Aardvark" - Release amd64 (20171018) Lpstat: device for EPSONET-4550: ipp://call.codenet.local:631/printers/EPSON_ET-4550_Series device for PDF: cups-pdf:/ MachineType: Gigabyte Technology Co., Ltd. A320M-S2H NonfreeKernelModules: nvidia_modeset nvidia Package: cups 2.2.7-1ubuntu2.1 PackageArchitecture: amd64 Papersize: letter PpdFiles: Error: command ['fgrep', '-H', '*NickName', '/etc/cups/ppd/PDF.ppd'] failed with exit code 2: grep: /etc/cups/ppd/PDF
[Desktop-packages] [Bug 1698693] Re: cups-pdf blocked by apparmor
Hi again, Patrick. Here is an older bug report that seems to be the same issue. Could you look at it and let me know if it is the same issue as yours? https://bugs.launchpad.net/ubuntu/+source/cups-pdf/+bug/1166786 Thanks G -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1698693 Title: cups-pdf blocked by apparmor Status in cups package in Ubuntu: Incomplete Bug description: cups-pdf cannot create the ~/PDF directory if it does not exist and fails with no indication to the user. It should however be pointed out that cups-pdf allows the system administrator to change it's output directory by changing the Out key in /etc/cups/cups-pdf.conf. As such apparmor will get in the way again if the admin changes the Out key to some other location outside of the ${HOME}/PDF directory. (It's default setting.) cups-pdf also does not have an #include for using local overrides in it's apparmor config. As such any fixes that the local admin makes will be overwritten by the next update to the cups package, breaking it again. Description: Ubuntu 16.04.2 LTS Release: 16.04 printer-driver-cups-pdf: Installed: 2.6.1-21 Candidate: 2.6.1-21 Version table: *** 2.6.1-21 500 500 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages 100 /var/lib/dpkg/status cups: Installed: 2.1.3-4 Candidate: 2.1.3-4 Version table: *** 2.1.3-4 500 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status What happened: cups-pdf when installed for the first time fails with the following apparmor denials: [ 6117.686934] audit: type=1400 audit(1497816878.998:1079): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/cups/backend/cups-pdf" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/cupsd" [ 6117.686948] audit: type=1400 audit(1497816878.998:1080): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/cupsd" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/cups/backend/cups-pdf" [ 6117.688671] audit: type=1400 audit(1497816879.002:1081): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.688688] audit: type=1400 audit(1497816879.002:1082): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.689719] audit: type=1400 audit(1497816879.002:1083): apparmor="DENIED" operation="mkdir" profile="/usr/lib/cups/backend/cups-pdf" name="/home/CODENET.LOCAL/codebase/PDF/" pid=6015 comm="cups-pdf" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 What I expected to happen: cups-pdf creates the pdf file it was supposed to. As a workaround, I set cups-pdf to use the third-party settings from the cups profile, then it worked as expected. --- ProblemType: Bug ApportVersion: 2.20.9-0ubuntu7.2 Architecture: amd64 CupsErrorLog: Error: [Errno 13] Permission denied: '/var/log/cups/error_log' CurrentDesktop: MATE DistroRelease: Ubuntu 18.04 InstallationDate: Installed on 2017-11-24 (281 days ago) InstallationMedia: Ubuntu-MATE 17.10 "Artful Aardvark" - Release amd64 (20171018) Lpstat: device for EPSONET-4550: ipp://call.codenet.local:631/printers/EPSON_ET-4550_Series device for PDF: cups-pdf:/ MachineType: Gigabyte Technology Co., Ltd. A320M-S2H NonfreeKernelModules: nvidia_modeset nvidia Package: cups 2.2.7-1ubuntu2.1 PackageArchitecture: amd64 Papersize: letter PpdFiles: Error: command ['fgrep', '-H', '*NickName', '/etc/cups/ppd/PDF.ppd'] failed with exit code 2: grep: /etc/cups/ppd/PDF.ppd: Permission denied ProcCmdline: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 ro video=vesafb:off vga=normal quiet splash ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 ro video=vesafb:off vga=normal quiet splash ProcVersionSignature: Ubuntu 4.15.0-33.36-generic 4.15.18 Tags: bionic apparmor apparmor apparmor apparmor Uname: Linux 4.15.0-33-generic x86_64 UpgradeStatus: Upgraded to bionic on 2018-05-20 (104 days ago) UserGroups: _MarkForUpload: True dmi.bios.date: 02/08/2018 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F21 dmi.board.asset.tag: Default string dmi.board.name: A320M-S2H-CF dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version:
[Desktop-packages] [Bug 1698693] Re: cups-pdf blocked by apparmor
Hi Patrick, Just to confirm, this is still a problem for you in 18.04? Also could you look at the following bug and see if it is the same as your bug report: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1675503 Thanks G -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1698693 Title: cups-pdf blocked by apparmor Status in cups package in Ubuntu: Incomplete Bug description: cups-pdf cannot create the ~/PDF directory if it does not exist and fails with no indication to the user. It should however be pointed out that cups-pdf allows the system administrator to change it's output directory by changing the Out key in /etc/cups/cups-pdf.conf. As such apparmor will get in the way again if the admin changes the Out key to some other location outside of the ${HOME}/PDF directory. (It's default setting.) cups-pdf also does not have an #include for using local overrides in it's apparmor config. As such any fixes that the local admin makes will be overwritten by the next update to the cups package, breaking it again. Description: Ubuntu 16.04.2 LTS Release: 16.04 printer-driver-cups-pdf: Installed: 2.6.1-21 Candidate: 2.6.1-21 Version table: *** 2.6.1-21 500 500 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages 100 /var/lib/dpkg/status cups: Installed: 2.1.3-4 Candidate: 2.1.3-4 Version table: *** 2.1.3-4 500 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status What happened: cups-pdf when installed for the first time fails with the following apparmor denials: [ 6117.686934] audit: type=1400 audit(1497816878.998:1079): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/cups/backend/cups-pdf" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/cupsd" [ 6117.686948] audit: type=1400 audit(1497816878.998:1080): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/cupsd" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/cups/backend/cups-pdf" [ 6117.688671] audit: type=1400 audit(1497816879.002:1081): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.688688] audit: type=1400 audit(1497816879.002:1082): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.689719] audit: type=1400 audit(1497816879.002:1083): apparmor="DENIED" operation="mkdir" profile="/usr/lib/cups/backend/cups-pdf" name="/home/CODENET.LOCAL/codebase/PDF/" pid=6015 comm="cups-pdf" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 What I expected to happen: cups-pdf creates the pdf file it was supposed to. As a workaround, I set cups-pdf to use the third-party settings from the cups profile, then it worked as expected. --- ProblemType: Bug ApportVersion: 2.20.9-0ubuntu7.2 Architecture: amd64 CupsErrorLog: Error: [Errno 13] Permission denied: '/var/log/cups/error_log' CurrentDesktop: MATE DistroRelease: Ubuntu 18.04 InstallationDate: Installed on 2017-11-24 (281 days ago) InstallationMedia: Ubuntu-MATE 17.10 "Artful Aardvark" - Release amd64 (20171018) Lpstat: device for EPSONET-4550: ipp://call.codenet.local:631/printers/EPSON_ET-4550_Series device for PDF: cups-pdf:/ MachineType: Gigabyte Technology Co., Ltd. A320M-S2H NonfreeKernelModules: nvidia_modeset nvidia Package: cups 2.2.7-1ubuntu2.1 PackageArchitecture: amd64 Papersize: letter PpdFiles: Error: command ['fgrep', '-H', '*NickName', '/etc/cups/ppd/PDF.ppd'] failed with exit code 2: grep: /etc/cups/ppd/PDF.ppd: Permission denied ProcCmdline: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 ro video=vesafb:off vga=normal quiet splash ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 ro video=vesafb:off vga=normal quiet splash ProcVersionSignature: Ubuntu 4.15.0-33.36-generic 4.15.18 Tags: bionic apparmor apparmor apparmor apparmor Uname: Linux 4.15.0-33-generic x86_64 UpgradeStatus: Upgraded to bionic on 2018-05-20 (104 days ago) UserGroups: _MarkForUpload: True dmi.bios.date: 02/08/2018 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F21 dmi.board.asset.tag: Default string dmi.board.name: A320M-S2H-CF dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.ver
[Desktop-packages] [Bug 1698693] Re: cups-pdf blocked by apparmor
I'm using Bionic. (18.04.1 LTS) x64 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1698693 Title: cups-pdf blocked by apparmor Status in cups package in Ubuntu: Incomplete Bug description: cups-pdf cannot create the ~/PDF directory if it does not exist and fails with no indication to the user. It should however be pointed out that cups-pdf allows the system administrator to change it's output directory by changing the Out key in /etc/cups/cups-pdf.conf. As such apparmor will get in the way again if the admin changes the Out key to some other location outside of the ${HOME}/PDF directory. (It's default setting.) cups-pdf also does not have an #include for using local overrides in it's apparmor config. As such any fixes that the local admin makes will be overwritten by the next update to the cups package, breaking it again. Description: Ubuntu 16.04.2 LTS Release: 16.04 printer-driver-cups-pdf: Installed: 2.6.1-21 Candidate: 2.6.1-21 Version table: *** 2.6.1-21 500 500 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages 100 /var/lib/dpkg/status cups: Installed: 2.1.3-4 Candidate: 2.1.3-4 Version table: *** 2.1.3-4 500 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status What happened: cups-pdf when installed for the first time fails with the following apparmor denials: [ 6117.686934] audit: type=1400 audit(1497816878.998:1079): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/cups/backend/cups-pdf" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/cupsd" [ 6117.686948] audit: type=1400 audit(1497816878.998:1080): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/cupsd" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/cups/backend/cups-pdf" [ 6117.688671] audit: type=1400 audit(1497816879.002:1081): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.688688] audit: type=1400 audit(1497816879.002:1082): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.689719] audit: type=1400 audit(1497816879.002:1083): apparmor="DENIED" operation="mkdir" profile="/usr/lib/cups/backend/cups-pdf" name="/home/CODENET.LOCAL/codebase/PDF/" pid=6015 comm="cups-pdf" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 What I expected to happen: cups-pdf creates the pdf file it was supposed to. As a workaround, I set cups-pdf to use the third-party settings from the cups profile, then it worked as expected. --- ProblemType: Bug ApportVersion: 2.20.9-0ubuntu7.2 Architecture: amd64 CupsErrorLog: Error: [Errno 13] Permission denied: '/var/log/cups/error_log' CurrentDesktop: MATE DistroRelease: Ubuntu 18.04 InstallationDate: Installed on 2017-11-24 (281 days ago) InstallationMedia: Ubuntu-MATE 17.10 "Artful Aardvark" - Release amd64 (20171018) Lpstat: device for EPSONET-4550: ipp://call.codenet.local:631/printers/EPSON_ET-4550_Series device for PDF: cups-pdf:/ MachineType: Gigabyte Technology Co., Ltd. A320M-S2H NonfreeKernelModules: nvidia_modeset nvidia Package: cups 2.2.7-1ubuntu2.1 PackageArchitecture: amd64 Papersize: letter PpdFiles: Error: command ['fgrep', '-H', '*NickName', '/etc/cups/ppd/PDF.ppd'] failed with exit code 2: grep: /etc/cups/ppd/PDF.ppd: Permission denied ProcCmdline: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 ro video=vesafb:off vga=normal quiet splash ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 ro video=vesafb:off vga=normal quiet splash ProcVersionSignature: Ubuntu 4.15.0-33.36-generic 4.15.18 Tags: bionic apparmor apparmor apparmor apparmor Uname: Linux 4.15.0-33-generic x86_64 UpgradeStatus: Upgraded to bionic on 2018-05-20 (104 days ago) UserGroups: _MarkForUpload: True dmi.bios.date: 02/08/2018 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F21 dmi.board.asset.tag: Default string dmi.board.name: A320M-S2H-CF dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: Default string dmi.chassis.type: 3 dmi.chassis.vendor: Default string dmi.chassis.version: Default string dmi.modalias: dmi:bvnAmericanMegatrendsInc.:b
[Desktop-packages] [Bug 1698693] Re: cups-pdf blocked by apparmor
Hi Patrick. Thanks for the update and the apport info. I'll look at next steps. Also, what version of Ubuntu are you using? Take care :) G -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1698693 Title: cups-pdf blocked by apparmor Status in cups package in Ubuntu: Incomplete Bug description: cups-pdf cannot create the ~/PDF directory if it does not exist and fails with no indication to the user. It should however be pointed out that cups-pdf allows the system administrator to change it's output directory by changing the Out key in /etc/cups/cups-pdf.conf. As such apparmor will get in the way again if the admin changes the Out key to some other location outside of the ${HOME}/PDF directory. (It's default setting.) cups-pdf also does not have an #include for using local overrides in it's apparmor config. As such any fixes that the local admin makes will be overwritten by the next update to the cups package, breaking it again. Description: Ubuntu 16.04.2 LTS Release: 16.04 printer-driver-cups-pdf: Installed: 2.6.1-21 Candidate: 2.6.1-21 Version table: *** 2.6.1-21 500 500 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages 100 /var/lib/dpkg/status cups: Installed: 2.1.3-4 Candidate: 2.1.3-4 Version table: *** 2.1.3-4 500 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status What happened: cups-pdf when installed for the first time fails with the following apparmor denials: [ 6117.686934] audit: type=1400 audit(1497816878.998:1079): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/cups/backend/cups-pdf" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/cupsd" [ 6117.686948] audit: type=1400 audit(1497816878.998:1080): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/cupsd" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/cups/backend/cups-pdf" [ 6117.688671] audit: type=1400 audit(1497816879.002:1081): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.688688] audit: type=1400 audit(1497816879.002:1082): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.689719] audit: type=1400 audit(1497816879.002:1083): apparmor="DENIED" operation="mkdir" profile="/usr/lib/cups/backend/cups-pdf" name="/home/CODENET.LOCAL/codebase/PDF/" pid=6015 comm="cups-pdf" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 What I expected to happen: cups-pdf creates the pdf file it was supposed to. As a workaround, I set cups-pdf to use the third-party settings from the cups profile, then it worked as expected. --- ProblemType: Bug ApportVersion: 2.20.9-0ubuntu7.2 Architecture: amd64 CupsErrorLog: Error: [Errno 13] Permission denied: '/var/log/cups/error_log' CurrentDesktop: MATE DistroRelease: Ubuntu 18.04 InstallationDate: Installed on 2017-11-24 (281 days ago) InstallationMedia: Ubuntu-MATE 17.10 "Artful Aardvark" - Release amd64 (20171018) Lpstat: device for EPSONET-4550: ipp://call.codenet.local:631/printers/EPSON_ET-4550_Series device for PDF: cups-pdf:/ MachineType: Gigabyte Technology Co., Ltd. A320M-S2H NonfreeKernelModules: nvidia_modeset nvidia Package: cups 2.2.7-1ubuntu2.1 PackageArchitecture: amd64 Papersize: letter PpdFiles: Error: command ['fgrep', '-H', '*NickName', '/etc/cups/ppd/PDF.ppd'] failed with exit code 2: grep: /etc/cups/ppd/PDF.ppd: Permission denied ProcCmdline: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 ro video=vesafb:off vga=normal quiet splash ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 ro video=vesafb:off vga=normal quiet splash ProcVersionSignature: Ubuntu 4.15.0-33.36-generic 4.15.18 Tags: bionic apparmor apparmor apparmor apparmor Uname: Linux 4.15.0-33-generic x86_64 UpgradeStatus: Upgraded to bionic on 2018-05-20 (104 days ago) UserGroups: _MarkForUpload: True dmi.bios.date: 02/08/2018 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F21 dmi.board.asset.tag: Default string dmi.board.name: A320M-S2H-CF dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: Default string dmi.chassis.type: 3 dmi.chassis.vendor
[Desktop-packages] [Bug 1698693] Re: cups-pdf blocked by apparmor
Hmm... Access Denied, should I resubmit using a different login? Also the lack of an include directive for /usr/lib/cups/backend/cups-pdf in /etc/apparmor.d/usr.sbin.cupsd to allow using a different path for pdf output is still an issue. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1698693 Title: cups-pdf blocked by apparmor Status in cups package in Ubuntu: Incomplete Bug description: cups-pdf cannot create the ~/PDF directory if it does not exist and fails with no indication to the user. It should however be pointed out that cups-pdf allows the system administrator to change it's output directory by changing the Out key in /etc/cups/cups-pdf.conf. As such apparmor will get in the way again if the admin changes the Out key to some other location outside of the ${HOME}/PDF directory. (It's default setting.) cups-pdf also does not have an #include for using local overrides in it's apparmor config. As such any fixes that the local admin makes will be overwritten by the next update to the cups package, breaking it again. Description: Ubuntu 16.04.2 LTS Release: 16.04 printer-driver-cups-pdf: Installed: 2.6.1-21 Candidate: 2.6.1-21 Version table: *** 2.6.1-21 500 500 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages 100 /var/lib/dpkg/status cups: Installed: 2.1.3-4 Candidate: 2.1.3-4 Version table: *** 2.1.3-4 500 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status What happened: cups-pdf when installed for the first time fails with the following apparmor denials: [ 6117.686934] audit: type=1400 audit(1497816878.998:1079): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/cups/backend/cups-pdf" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/cupsd" [ 6117.686948] audit: type=1400 audit(1497816878.998:1080): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/cupsd" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/cups/backend/cups-pdf" [ 6117.688671] audit: type=1400 audit(1497816879.002:1081): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.688688] audit: type=1400 audit(1497816879.002:1082): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.689719] audit: type=1400 audit(1497816879.002:1083): apparmor="DENIED" operation="mkdir" profile="/usr/lib/cups/backend/cups-pdf" name="/home/CODENET.LOCAL/codebase/PDF/" pid=6015 comm="cups-pdf" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 What I expected to happen: cups-pdf creates the pdf file it was supposed to. As a workaround, I set cups-pdf to use the third-party settings from the cups profile, then it worked as expected. --- ProblemType: Bug ApportVersion: 2.20.9-0ubuntu7.2 Architecture: amd64 CupsErrorLog: Error: [Errno 13] Permission denied: '/var/log/cups/error_log' CurrentDesktop: MATE DistroRelease: Ubuntu 18.04 InstallationDate: Installed on 2017-11-24 (281 days ago) InstallationMedia: Ubuntu-MATE 17.10 "Artful Aardvark" - Release amd64 (20171018) Lpstat: device for EPSONET-4550: ipp://call.codenet.local:631/printers/EPSON_ET-4550_Series device for PDF: cups-pdf:/ MachineType: Gigabyte Technology Co., Ltd. A320M-S2H NonfreeKernelModules: nvidia_modeset nvidia Package: cups 2.2.7-1ubuntu2.1 PackageArchitecture: amd64 Papersize: letter PpdFiles: Error: command ['fgrep', '-H', '*NickName', '/etc/cups/ppd/PDF.ppd'] failed with exit code 2: grep: /etc/cups/ppd/PDF.ppd: Permission denied ProcCmdline: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 ro video=vesafb:off vga=normal quiet splash ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 ro video=vesafb:off vga=normal quiet splash ProcVersionSignature: Ubuntu 4.15.0-33.36-generic 4.15.18 Tags: bionic apparmor apparmor apparmor apparmor Uname: Linux 4.15.0-33-generic x86_64 UpgradeStatus: Upgraded to bionic on 2018-05-20 (104 days ago) UserGroups: _MarkForUpload: True dmi.bios.date: 02/08/2018 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F21 dmi.board.asset.tag: Default string dmi.board.name: A320M-S2H-CF dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.b
[Desktop-packages] [Bug 1698693] Re: cups-pdf blocked by apparmor
apport information ** Tags added: apparmor apport-collected bionic ** Description changed: cups-pdf cannot create the ~/PDF directory if it does not exist and fails with no indication to the user. It should however be pointed out that cups-pdf allows the system administrator to change it's output directory by changing the Out key in /etc/cups/cups-pdf.conf. As such apparmor will get in the way again if the admin changes the Out key to some other location outside of the ${HOME}/PDF directory. (It's default setting.) cups-pdf also does not have an #include for using local overrides in it's apparmor config. As such any fixes that the local admin makes will be overwritten by the next update to the cups package, breaking it again. Description: Ubuntu 16.04.2 LTS Release: 16.04 printer-driver-cups-pdf: Installed: 2.6.1-21 Candidate: 2.6.1-21 Version table: *** 2.6.1-21 500 500 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages 100 /var/lib/dpkg/status cups: Installed: 2.1.3-4 Candidate: 2.1.3-4 Version table: *** 2.1.3-4 500 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status What happened: cups-pdf when installed for the first time fails with the following apparmor denials: [ 6117.686934] audit: type=1400 audit(1497816878.998:1079): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/cups/backend/cups-pdf" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/cupsd" [ 6117.686948] audit: type=1400 audit(1497816878.998:1080): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/cupsd" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/cups/backend/cups-pdf" [ 6117.688671] audit: type=1400 audit(1497816879.002:1081): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.688688] audit: type=1400 audit(1497816879.002:1082): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.689719] audit: type=1400 audit(1497816879.002:1083): apparmor="DENIED" operation="mkdir" profile="/usr/lib/cups/backend/cups-pdf" name="/home/CODENET.LOCAL/codebase/PDF/" pid=6015 comm="cups-pdf" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 What I expected to happen: cups-pdf creates the pdf file it was supposed to. As a workaround, I set cups-pdf to use the third-party settings from the cups profile, then it worked as expected. + --- + ProblemType: Bug + ApportVersion: 2.20.9-0ubuntu7.2 + Architecture: amd64 + CupsErrorLog: Error: [Errno 13] Permission denied: '/var/log/cups/error_log' + CurrentDesktop: MATE + DistroRelease: Ubuntu 18.04 + InstallationDate: Installed on 2017-11-24 (281 days ago) + InstallationMedia: Ubuntu-MATE 17.10 "Artful Aardvark" - Release amd64 (20171018) + Lpstat: + device for EPSONET-4550: ipp://call.codenet.local:631/printers/EPSON_ET-4550_Series + device for PDF: cups-pdf:/ + MachineType: Gigabyte Technology Co., Ltd. A320M-S2H + NonfreeKernelModules: nvidia_modeset nvidia + Package: cups 2.2.7-1ubuntu2.1 + PackageArchitecture: amd64 + Papersize: letter + PpdFiles: Error: command ['fgrep', '-H', '*NickName', '/etc/cups/ppd/PDF.ppd'] failed with exit code 2: grep: /etc/cups/ppd/PDF.ppd: Permission denied + ProcCmdline: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 ro video=vesafb:off vga=normal quiet splash + ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 ro video=vesafb:off vga=normal quiet splash + ProcVersionSignature: Ubuntu 4.15.0-33.36-generic 4.15.18 + Tags: bionic apparmor apparmor apparmor apparmor + Uname: Linux 4.15.0-33-generic x86_64 + UpgradeStatus: Upgraded to bionic on 2018-05-20 (104 days ago) + UserGroups: + + _MarkForUpload: True + dmi.bios.date: 02/08/2018 + dmi.bios.vendor: American Megatrends Inc. + dmi.bios.version: F21 + dmi.board.asset.tag: Default string + dmi.board.name: A320M-S2H-CF + dmi.board.vendor: Gigabyte Technology Co., Ltd. + dmi.board.version: x.x + dmi.chassis.asset.tag: Default string + dmi.chassis.type: 3 + dmi.chassis.vendor: Default string + dmi.chassis.version: Default string + dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrF21:bd02/08/2018:svnGigabyteTechnologyCo.,Ltd.:pnA320M-S2H:pvrDefaultstring:rvnGigabyteTechnologyCo.,Ltd.:rnA320M-S2H-CF:rvrx.x:cvnDefaultstring:ct3:cvrDefaultstring: + dmi.product.family: Def
[Desktop-packages] [Bug 1698693] Re: cups-pdf blocked by apparmor
Hello Patrick, Thank you for submitting this bug and reporting a problem with cups. You made this bug report some time ago and Ubuntu has been updated since then. Could you confirm that this is no longer a problem and that we can close the ticket? If it is still a problem, are you still interested in finding a solution to this bug? If you are, could you let us know, and in the current version, run the following (only once): apport-collect BUGNUMBER and upload the updated logs and and any other logs that are relevant for this particular issue. Thank you again for helping make Ubuntu better. G [Ubuntu Bug Squad volunteer triager] ** Changed in: cups (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1698693 Title: cups-pdf blocked by apparmor Status in cups package in Ubuntu: Incomplete Bug description: cups-pdf cannot create the ~/PDF directory if it does not exist and fails with no indication to the user. It should however be pointed out that cups-pdf allows the system administrator to change it's output directory by changing the Out key in /etc/cups/cups-pdf.conf. As such apparmor will get in the way again if the admin changes the Out key to some other location outside of the ${HOME}/PDF directory. (It's default setting.) cups-pdf also does not have an #include for using local overrides in it's apparmor config. As such any fixes that the local admin makes will be overwritten by the next update to the cups package, breaking it again. Description: Ubuntu 16.04.2 LTS Release: 16.04 printer-driver-cups-pdf: Installed: 2.6.1-21 Candidate: 2.6.1-21 Version table: *** 2.6.1-21 500 500 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages 100 /var/lib/dpkg/status cups: Installed: 2.1.3-4 Candidate: 2.1.3-4 Version table: *** 2.1.3-4 500 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status What happened: cups-pdf when installed for the first time fails with the following apparmor denials: [ 6117.686934] audit: type=1400 audit(1497816878.998:1079): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/cups/backend/cups-pdf" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/cupsd" [ 6117.686948] audit: type=1400 audit(1497816878.998:1080): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/cupsd" pid=6015 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/cups/backend/cups-pdf" [ 6117.688671] audit: type=1400 audit(1497816879.002:1081): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.688688] audit: type=1400 audit(1497816879.002:1082): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 6117.689719] audit: type=1400 audit(1497816879.002:1083): apparmor="DENIED" operation="mkdir" profile="/usr/lib/cups/backend/cups-pdf" name="/home/CODENET.LOCAL/codebase/PDF/" pid=6015 comm="cups-pdf" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 What I expected to happen: cups-pdf creates the pdf file it was supposed to. As a workaround, I set cups-pdf to use the third-party settings from the cups profile, then it worked as expected. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1698693/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp