Control: tag -1 + patch Hi,
gregor herrmann: > apparmor newbie here. Thanks for trying AppArmor :) > Without doing anything printer-related, aa-notify informed me about > an apparmor problem with cupsd; syslog says: > Aug 21 16:40:22 jadzia kernel: [95510.664500] audit: type=1400 > audit(1503326422.923:230): apparmor="DENIED" operation="capable" > profile="/usr/sbin/cupsd" pid=21581 comm="cupsd" capability=2 > capname="dac_read_search" Thanks! I cannot reproduce this myself, but I'm not surprised: I've seen profiles that allowed dac_override start needing dac_read_search, presumably due to a change in libc or similar. The attached (git format-)patch should fix this problem. Cheers, -- intrigeri
>From 43e89c29979d25e7757081b3eb5d1eb619f05d2f Mon Sep 17 00:00:00 2001 From: intrigeri <intrig...@debian.org> Date: Sun, 3 Sep 2017 10:39:12 +0000 Subject: [PATCH] AppArmor: allow dac_read_search, now needed on top of dac_override (Closes: #872817). --- debian/local/apparmor-profile | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/local/apparmor-profile b/debian/local/apparmor-profile index 13c2940d2..053d1c1ff 100644 --- a/debian/local/apparmor-profile +++ b/debian/local/apparmor-profile @@ -32,6 +32,7 @@ # lot of files to 'lp' which it cannot read/write afterwards any # more capability dac_override, + capability dac_read_search, # the bluetooth backend needs this network bluetooth, -- 2.14.1