Package: cups-daemon
Version: 2.4.16-1
Severity: normal
Tags: patch
Dear Maintainer,
/etc/apparmor.d/usr.sbin.cupsd (shipped by cups-daemon) fails to load with:
profile has merged rule with conflicting x modifiers ERROR processing regexs
for profile /usr/sbin/cupsd, failed to load
Steps to reproduce
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.cupsd
Expected result
The profile loads and cupsd runs under AppArmor confinement.
Actual result
The parser reports "profile has merged rule with conflicting x
modifiers" and refuses to load the profile; cupsd then runs unconfined
or with a failed profile load.
Cause
The profile includes abstractions/lightdm, which adds broad execute
rules (e.g. /usr/** rmixk). The profile also has specific execute rules
with different x modifiers (e.g. /usr/lib/cups/backend/cups-pdf Px).
When the parser merges these, the same path gets conflicting execute
modifiers (e.g. ix vs Px), which triggers the error (see e.g. AppArmor
GitLab issue #93). The lightdm abstraction is for display-manager guest
sessions, not for the CUPS daemon, so including it in usr.sbin.cupsd is
inappropriate and causes the conflict.
Suggested fix
In the cups-daemon package, remove the lightdm include from
/etc/apparmor.d/usr.sbin.cupsd
--- usr.sbin.cupsd-dist 2026-02-09 16:08:58.676266796 -0800
+++ usr.sbin.cupsd 2026-02-09 15:59:43.869866156 -0800
@@ -50,7 +50,7 @@
include <abstractions/bash>
include <abstractions/dbus>
include <abstractions/fonts>
- include <abstractions/lightdm>
+# include <abstractions/lightdm>
include <abstractions/nameservice>
include <abstractions/perl>
include <abstractions/user-tmp>
-- System Information:
Debian Release: trixie/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.18.9+deb14-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages cups-daemon depends on:
ii adduser 3.152
ii bc 1.07.1-3+b1
ii init-system-helpers 1.68
ii libavahi-client3 0.8-18
ii libavahi-common3 0.8-18
ii libc6 2.42-11
ii libcups2t64 2.4.16-1
ii libdbus-1-3 1.16.2-2+b1
ii libgssapi-krb5-2 1.21.3-5
ii libpam0g 1.7.0-5
ii libpaper2 2.2.5-0.3+b1
ii libsystemd0 259-1
ii lsb-base 11.6
ii procps 2:4.0.4-2
ii ssl-cert 1.1.2
ii sysvinit-utils [lsb-base] 3.06-2
Versions of packages cups-daemon recommends:
ii avahi-daemon 0.8-18
pn colord <none>
ii cups-browsed 1.28.17-7
ii ipp-usb 0.9.23-1+b3
Versions of packages cups-daemon suggests:
ii cups 2.4.16-1
ii cups-bsd 2.4.16-1
ii cups-client 2.4.16-1
ii cups-common 2.4.16-1
ii cups-filters 1.28.17-7
pn cups-pdf <none>
ii cups-ppdc 2.4.16-1
ii cups-server-common 2.4.16-1
pn foomatic-db-compressed-ppds | foomatic-db <none>
ii ghostscript 10.06.0~dfsg-3
ii poppler-utils 25.03.0-11.1+b1
ii smbclient 2:4.23.5+dfsg-1
ii udev 259-1
-- Configuration Files:
/etc/apparmor.d/usr.sbin.cupsd changed:
include <tunables/global>
/usr/lib/cups/backend/cups-pdf {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/nameservice>
include <abstractions/private-files-strict>
include <abstractions/user-tmp>
include if exists <local/usr.lib.cups.backend.cups-pdf>
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability setgid,
capability setuid,
unix peer=(label=/usr/sbin/cupsd),
/etc/cups/cups-pdf.conf r,
/etc/cups/ppd/*.ppd r,
/etc/papersize r,
/usr/bin/gs rix,
/usr/lib/cups/backend/cups-pdf mr,
/usr/lib/ghostscript/** mr,
/usr/share/** r,
/var/log/cups/cups-pdf*_log w,
/var/spool/cups-pdf/** rw,
/var/spool/cups/** r,
/{usr/,}bin/bash rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/dash rix,
@{HOME}/[^.]*/** rw,
@{HOME}/[^.]*/{,**/} rw,
@{PROC}/*/auxv r,
}
/usr/sbin/cupsd flags=(attach_disconnected) {
include <abstractions/authentication>
include <abstractions/base>
include <abstractions/bash>
include <abstractions/dbus>
include <abstractions/fonts>
include <abstractions/nameservice>
include <abstractions/perl>
include <abstractions/user-tmp>
include if exists <local/usr.sbin.cupsd>
deny capability block_suspend,
capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability kill,
capability net_admin,
capability net_bind_service,
capability setgid,
capability setuid,
capability wake_alarm,
network appletalk dgram,
network ash dgram,
network ax25 dgram,
network bluetooth,
network econet dgram,
network ipx dgram,
network netrom seqpacket,
network rose dgram,
network x25 seqpacket,
deny signal send set=term peer=unconfined,
signal peer=/usr/sbin/cupsd//third_party,
unix peer=(label=/usr/lib/cups/backend/cups-pdf),
unix peer=(label=/usr/sbin/cupsd//third_party),
deny /dev/tty rw, # silence noise
deny /etc/krb5.conf w,
deny /etc/udev/udev.conf r,
deny /{,var/}run/samba/ rw,
/dev/bus/usb/ r,
/dev/bus/usb/** rw,
/dev/lp* rw,
/dev/parport* rw,
/dev/ttyS* rw,
/dev/ttyUSB* rw,
/dev/usb/lp* rw,
/etc/cups/ rw,
/etc/cups/** rw,
/etc/cups/interfaces/* rwix,
/etc/cups/krb5.keytab rwk,
/etc/foomatic/* r,
/etc/gai.conf r,
/etc/krb5.conf r,
/etc/krb5.keytab rk,
/etc/letsencrypt/archive/** r,
/etc/likewise r,
/etc/likewise/* r,
/etc/papersize r,
/etc/pnm2ppa.conf r,
/etc/printcap rwl,
/etc/ssl/** r,
/opt/** rix,
/run/systemd/notify w,
/sys/** r,
/tmp/krb5cc* k,
/usr/Brother/** Cx -> third_party,
/usr/bin/* rix,
/usr/bin/hpijs Cx -> third_party,
/usr/lib/** mr,
/usr/lib/cups/backend/* Cx -> third_party,
/usr/lib/cups/backend/bluetooth rix,
/usr/lib/cups/backend/cups-pdf Px,
/usr/lib/cups/backend/dnssd rix,
/usr/lib/cups/backend/http rix,
/usr/lib/cups/backend/ipp rix,
/usr/lib/cups/backend/lpd rix,
/usr/lib/cups/backend/mdns rix,
/usr/lib/cups/backend/parallel rix,
/usr/lib/cups/backend/serial rix,
/usr/lib/cups/backend/snmp rix,
/usr/lib/cups/backend/socket rix,
/usr/lib/cups/backend/usb rix,
/usr/lib/cups/cgi-bin/* rix,
/usr/lib/cups/daemon/* rix,
/usr/lib/cups/driver/* rCx -> third_party,
/usr/lib/cups/filter/** rCx -> third_party,
/usr/lib/cups/monitor/* rix,
/usr/lib/cups/notifier/* rix,
/usr/local/** mr,
/usr/local/lib/cups/** rix,
/usr/sbin/* rix,
/usr/share/** r,
/var/cache/cups/ rw,
/var/cache/cups/** rwk,
/var/cache/samba/*.tdb r,
/var/log/cups/ rw,
/var/log/cups/* rw,
/var/spool/cups/ rw,
/var/spool/cups/** rw,
/var/{cache,lib}/samba/printing/printers.tdb r,
/{,var/}run/** mr,
/{,var/}run/avahi-daemon/socket rw,
/{,var/}run/cups/ rw,
/{,var/}run/cups/** rw,
/{,var/}run/samba/** rw,
/{usr/,}bin/* rix,
/{usr/,}bin/bash rix,
/{usr/,}bin/dash rix,
/{usr/,}bin/hostname rix,
/{usr/,}sbin/* rix,
@{PROC}/*/auxv r,
@{PROC}/*/net/ r,
@{PROC}/*/net/** r,
@{PROC}/net/ r,
@{PROC}/net/* r,
@{PROC}/sys/crypto/** r,
@{PROC}/sys/dev/parport/** r,
profile third_party flags=(attach_disconnected) {
audit deny capability mac_admin,
capability,
network,
dbus,
signal,
ptrace,
unix,
file,
}
}
-- no debconf information
