Package: cups-daemon Version: 2.4.10-3+deb13u2 Severity: normal X-Debbugs-Cc: [email protected]
Dear Maintainer, Attempting to use cups with sssd for local user auth (Host is joined to a Samba4 AD domain controller.), results in various apparmor denials in dmesg and journal. Snip: *** [2597432.773237] audit: type=1400 audit(1773438364.533:252): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/var/lib/sss/pubconf/kdcinfo.EXAMPLE.COM" pid=1272377 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 *** Adding '/var/lib/sss/pubconf/* r,' to the /etc/apparmor.d/local/usr.sbin.cupsd file and reloading the apparmor profiles fixed that one. I should also point out that I was also getting an apparmor denial for /tmp/krb5cc*. I'm not sure if that's due to PAM using SSSD or because of CUPS itself having Kerberos support enabled in it's config, but as Kerberos support been deprecated in upstream CUPS, I'm not sure if this one should be fixed in the package or not. (I'm including it here for the sake of completeness.) : *** [2597540.497594] audit: type=1400 audit(1773438472.257:316): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/tmp/krb5cc_1254001189_9iCQrt" pid=1272377 comm="cupsd" requested_mask="w" denied_mask="w" fsuid=0 ouid=1254001189 *** Either way adding '/tmp/krb5cc* kw,' to the /etc/apparmor.d/local/usr.sbin.cupsd file and reloading the apparmor profiles fixed that one. The last one was cupsd trying to get a file lock on /run/utmp. *** [2597528.684960] audit: type=1400 audit(1773438460.445:313): apparmor="DENIED" operation="file_lock" profile="/usr/sbin/cupsd" name="/run/utmp" pid=1272377 comm="cupsd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0 *** Adding '/run/utmp k,' /etc/apparmor.d/local/usr.sbin.cupsd to fixed that one. Finally I'll add that in my case, bug #980974 applies to my system as does the "solution" with the addition of 'sys_admin' capability as well....: *** [2594412.199660] audit: type=1400 audit(1773435343.960:19): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=1271741 comm="usb" capability=21 capname="sys_admin" [2595749.893101] audit: type=1400 audit(1773436681.651:36): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=1271741 comm="usb" capability=12 capname="net_admin" *** Have a good Day! -Patrick Hibbs -- System Information: Debian Release: 13.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.12.73+deb13-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages cups-daemon depends on: ii adduser 3.152 ii bc 1.07.1-4 ii init-system-helpers 1.69~deb13u1 ii libavahi-client3 0.8-16 ii libavahi-common3 0.8-16 ii libc6 2.41-12+deb13u1 ii libcups2t64 2.4.10-3+deb13u2 ii libdbus-1-3 1.16.2-2 ii libgssapi-krb5-2 1.21.3-5 ii libpam0g 1.7.0-5 ii libpaper2 2.2.5-0.3+b2 ii libsystemd0 257.9-1~deb13u1 ii procps 2:4.0.4-9 ii ssl-cert 1.1.3 ii sysvinit-utils [lsb-base] 3.14-4 Versions of packages cups-daemon recommends: ii avahi-daemon 0.8-16 ii colord 1.4.7-3 pn cups-browsed <none> ii ipp-usb 0.9.23-2+b7 Versions of packages cups-daemon suggests: ii cups 2.4.10-3+deb13u2 ii cups-bsd 2.4.10-3+deb13u2 ii cups-client 2.4.10-3+deb13u2 ii cups-common 2.4.10-3+deb13u2 ii cups-filters 1.28.17-6+deb13u1 pn cups-pdf <none> ii cups-ppdc 2.4.10-3+deb13u2 ii cups-server-common 2.4.10-3+deb13u2 pn foomatic-db-compressed-ppds | foomatic-db <none> ii ghostscript 10.05.1~dfsg-1+deb13u1 ii poppler-utils 25.03.0-5+deb13u2 ii smbclient 2:4.22.6+dfsg-0+deb13u1 ii udev 257.9-1~deb13u1 -- no debconf information
